Re: Is "Denial Of Service attack" a security issue?

["Scott G. Kelly" <skelly@redcreek.com>]

David Chen wrote:
> 
> Since the IPSec, especially IKE, is not DOS attack resistant,
> what is the IPSec security level try to achieve?
> Shall this been documented in the RFC for the scope/capability of
> security level?
> Or let user find out later? (ie. been attacked)
> --- David

While there are DoS issues in IKE that may be remedied by modifications,
I think that a device which is capable of wireline-speed processing is
effectively immune to most of these. In the case where an attacker is
capable of saturating the medium with packets, there are other remedies.

I think there was consensus in Adelaide that IKE could benefit from some
revisions, although it's not clear how much revision the AD's will
permit at this point. If you have specific suggestions for bolstering
IKE in terms of DoS attacks, I certainly would be interested in hearing
them.

One such suggestion has already been documented in a draft (IKE base
mode).

Scott

---

Follow-Ups:

• Re: Is "Denial Of Service attack" a security issue?
• From: David Chen <dchen@indusriver.com>
• Re: Is "Denial Of Service attack" a security issue?
• From: Kanta Matsuura <K.Matsuura@ccsr.cam.ac.uk>

References:

• Is "Denial Of Service attack" a security issue?
• From: David Chen <dchen@indusriver.com>
• Re: Is "Denial Of Service attack" a security issue?
• From: David Chen <dchen@indusriver.com>

---

• Prev by Date: Re: Is "Denial Of Service attack" a security issue?
• Next by Date: RE: Is "Denial Of Service attack" a security issue?
• Prev by thread: Re: Is "Denial Of Service attack" a security issue?
• Next by thread: Re: Is "Denial Of Service attack" a security issue?
• Index(es):
  • Main
  • Thread