[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Is "Denial Of Service attack" a security issue?

To: "Scott G. Kelly" <skelly@redcreek.com>
Subject: Re: Is "Denial Of Service attack" a security issue?
From: Kanta Matsuura <K.Matsuura@ccsr.cam.ac.uk>
Date: Tue, 30 May 2000 09:50:01 +0100
CC: David Chen <dchen@indusriver.com>, "Mr. Anderson" <neo@silkroad.com>, ipsec@lists.tislabs.com
References: <4.2.0.58.20000525173612.00a33bf0@pop3.indusriver.com> <4.2.0.58.20000526101529.00a36310@pop3.indusriver.com> <392EA14F.72C69936@redcreek.com>
Sender: owner-ipsec@lists.tislabs.com

Hi, if you're interested in CPU protection as well as memory protection
from exhaustion, please have a look at
http://www.ietf.org/internet-drafts/draft-matsuura-sign-mode-02.txt.
Here's the abstract of the draft:

Phase 1 of the Internet Key Exchange (IKE) [HC98] has several modes
with different number of message passes. For those who want to save
their bandwidth, three-pass Aggressive Mode is a good choice since
it has minimal number of message passes in Phase 1.
The public-key primitive method in Aggressive Mode provides
significant security advantages over the other alternatives and
should be the method of choice in many implementations. In this
method, however, the responder must pay computational cost as
expensive as modular exponentiation BEFORE identifying the
initiator. This feature can be abused by malicious initiators for a
Denial-of-Service (DoS) attack. The purpose of this document is to
solve this problem in digital-signature method by using falling-
together (FT) mechanism [MI98], [MI99] in conjunction with
stateless-connection technique [AN97] and an appropriate use of
Cookies [KS99].

--
Kanta
--

"Scott G. Kelly" wrote:

 > David Chen wrote:
 > >
 > > Since the IPSec, especially IKE, is not DOS attack resistant,
 > > what is the IPSec security level try to achieve?
 > > Shall this been documented in the RFC for the scope/capability of
 > > security level?
 > > Or let user find out later? (ie. been attacked)
 > > --- David
 >
 > While there are DoS issues in IKE that may be remedied by modifications,
 > I think that a device which is capable of wireline-speed processing is
 > effectively immune to most of these. In the case where an attacker is
 > capable of saturating the medium with packets, there are other remedies.
 >
 > I think there was consensus in Adelaide that IKE could benefit from some
 > revisions, although it's not clear how much revision the AD's will
 > permit at this point. If you have specific suggestions for bolstering
 > IKE in terms of DoS attacks, I certainly would be interested in hearing
 > them.
 >
 > One such suggestion has already been documented in a draft (IKE base
 > mode).
 >
 > Scott

--
----^----^----
Kanta MATSUURA, Ph.D.
   Visiting Scholar
   Centre for Communications Systems Research
   University of Cambridge
   10 Downing Street, Cambridge, CB2 3DS
   Tel: +44 1223 740107

References:

Is "Denial Of Service attack" a security issue?

From: David Chen <dchen@indusriver.com>

Re: Is "Denial Of Service attack" a security issue?

From: David Chen <dchen@indusriver.com>

Re: Is "Denial Of Service attack" a security issue?

From: "Scott G. Kelly" <skelly@redcreek.com>

Prev by Date: Re: Reasons for AH & ESP
Next by Date: Re: Reasons for AH & ESP
Prev by thread: Re: Is "Denial Of Service attack" a security issue?
Next by thread: RE: Is "Denial Of Service attack" a security issue?
Index(es):
- Main
- Thread