[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE

To: Franck.Le@nokia.com
Subject: Re: IKE
From: David Chen <dchen@indusriver.com>
Date: Thu, 11 May 2000 10:27:58 -0400
Cc: ipsec@lists.tislabs.com
In-Reply-To: <7B5C0390ACE7D211BC9C0008C7EABA2B0124D303@daeis07nok>
Sender: owner-ipsec@lists.tislabs.com

At 02:00 PM 5/10/00 -0500, you wrote:

Hi,

I have some questions on IKE.
Actually I was wondering if in the Main Mode, protection against man in the
middle attacks is provided.

The countermeasure of MIM attack is authenticate the peer. (and off course mutually)
The third pair of message will take care of this.

Since the first messages are sent in clear mode and without any
authentication, can't a Bad Guy modify for example the SA payload ? That can
bring to a denial of service.

The countermeasure of DOS is demanding the equal or larger amount of resources
that attacker has to consume than the attacked.
The DH key exchange in IKE requires the peers equally (if the implementation is correct)
consumes resources.

So if it the case, is there a way to protect against man in the middle
attacks ?

It is the issues of "talk first" or "authentication first".
The main mode's first and second pair of messages is "talk first" - to establish
secured comm. channel between two peers.
The the pair messages is for authentication.

We may ask why it is done this way???? :-)

Thanking you in advance for your help.

Franck LE

--- David

References:

IKE

From: Franck.Le@nokia.com

Prev by Date: Re: IKE
Next by Date: Re: IKE
Prev by thread: Re: IKE
Next by thread: Re: IKE
Index(es):
- Main
- Thread