[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Future ISAKMP Denial of Service Vulnerablity Needs Addressing
Paul,
Since I also think CPU protection is important,
http://www.ietf.org/internet-drafts/draft-matsuura-sign-mode-01.txt
improves the DoS-resistance of IKE
in terms not only of memory resource but also of CPU resource.
My opinion is that CPU is more important
in a sense that memory exhaustion can be numerically evaluated
(please have a look at
K. Matsuura and H. Imai. ``Resolution of ISAKMP/Oakley Key-Agreement
Protocol Resistant against Denial-of-Service Attack''. Proc. of
Internet Workshop'99 (IWS'99), IEEE Press, pp. 17-24, 1999
available from
http://imailab-www.iis.u-tokyo.ac.jp/Members/kanta/iws99cr.ps.gz
) if CPU is protected.
Do you have any other reasons (why the most significant resource
is CPU power rather than state memory) ?
Paul Koning <pkoning@xedia.com> wrote:
>> Anderson> (2) Risk is reduced by minimizing set-up time and
>> Anderson> maximizing non-setup processing (time).
>>
>>No. Time is not of the essence. The essential issue is the resources
>>consumed before good requests can be distinguished from bad ones. The
>>most significant resource is CPU power; the secondary one is state
>>memory.
---- **** ----
Kanta MATSUURA, Ph.D.
Lecturer
3rd Department,
Institute of Industrial Science, University of Tokyo,
Roppongi 7-22-1, Minato-ku, Tokyo 106-8558, JAPAN
Tel: +81-3-3402-6231 (ext. 2325)
Fax: +81-3-3479-1736
E-Mail: kanta@iis.u-tokyo.ac.jp
References: