[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE

To: IP Security List <ipsec@lists.tislabs.com>
Subject: Re: IKE
From: Henry Spencer <henry@spsystems.net>
Date: Thu, 11 May 2000 10:38:28 -0400 (EDT)
In-Reply-To: <7B5C0390ACE7D211BC9C0008C7EABA2B0124D303@daeis07nok>
Sender: owner-ipsec@lists.tislabs.com

On Wed, 10 May 2000 Franck.Le@nokia.com wrote:
> Since the first messages are sent in clear mode and without any
> authentication, can't a Bad Guy modify for example the SA payload ? That can
> bring to a denial of service.

There is ultimately no way to protect against denial-of-service attacks by
a man in the middle -- he can just change all your packets to random
garbage, thus preventing communications completely.

The most you can do is to prevent him from impersonating a legitimate party
to the communications, which is why IKE has assorted authentication methods
(preshared key, public-key signatures, etc etc.).

                                                          Henry Spencer
                                                       henry@spsystems.net

References:

IKE

From: Franck.Le@nokia.com

Prev by Date: Re: IKE
Next by Date: about compliance
Prev by thread: Re: IKE
Next by thread: Re: FW: WG Last call: draft-ietf-ipsec-ecn-02.txt
Index(es):
- Main
- Thread