[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Use of Encryption in Heartbeat Packets

To: "'Tero Kivinen'" <kivinen@ssh.fi>
Subject: RE: Use of Encryption in Heartbeat Packets
From: "Andrew Krywaniuk" <akrywani@newbridge.com>
Date: Tue, 7 Mar 2000 22:55:30 -0500
Cc: "'Chris Trobridge'" <CTrobridge@baltimore.com>, "'IPSEC Mailing List @ tis labs'" <ipsec@lists.tislabs.com>
Importance: Normal
In-Reply-To: <200003080225.EAA23727@torni.ssh.fi>
Reply-To: <akrywani@newbridge.com>
Sender: owner-ipsec@lists.tislabs.com

Hi Tero,

> > DoS Analysis
> > -----------
> > In your example with the SPI list, you assume that the SPI
> list only adds
> > 200 bytes to the packet. This is not necessarily true in
> the DoS case
> > because the adversary can make the packet as long as he wants.
>
> True, but lets say the attacker adds 2048 bytes of spi list to the
> packet. HMAC-MD5 of that 2048 bytes takes 308 盜 (microseconds, my
> previous email used ms instead of proper 盜). That is still much
> faster than decrypting even the 200 byte packet.

With 3DES, yes. With AES, probably not.


> > In general, full-packet HMAC authentication does not
> provide good (restate: optimal) DoS
> > resistance.
>
> We are already using full-packet HMAC authentication in the ESP and AH
> protocols, so I don't really think this is an issue here... If
> somebody wants to consume our HMAC-MD5 calculation resources then he
> can send random full sized ESP packets.

But part of your argument for not wanting to use encryption is that ISAKMP
might be running on software but ESP may be in hardware. Therefore, the
attack might be more serious when it is mounted against ISAKMP.

Anyway, I think the idea of generating per-packet anti-clogging tokens with
a shared prf is worth looking into.


> > We both agreed that we did not want encryption to optional.
> I think I'm
> > starting to change my mind on this issue.
>
> I think it is better to select either one and stick to it. IKE has way
> too options already, I don't want to add another one. If WG thinks we
> must encrypt the packets then we encrypt them and thats fine...
>
> Perhaps it is better to wait before everybody has time to read the
> draft and then we can ask about this in the Adelaide IETF meeting.

If the issue can be resolved as simply as that, this is fine with me.

Andrew
_______________________________________________
 Beauty without truth is insubstantial.
 Truth without beauty is unbearable.

References:

RE: Use of Encryption in Heartbeat Packets

From: Tero Kivinen <kivinen@ssh.fi>

Prev by Date: RE: Use of Encryption in Heartbeat Packets
Next by Date: RE: Q: Why IPSEC to be used only in CBC mode & not other like CFB or OFB ?
Prev by thread: RE: Use of Encryption in Heartbeat Packets
Next by thread: RE: Use of Encryption in Heartbeat Packets
Index(es):
- Main
- Thread