[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Synchronisation in IKE

To: vilhuber@cisco.com (Jan Vilhuber)
Subject: Re: Synchronisation in IKE
From: Mike Carney <carney@securecomputing.com>
Date: Fri, 1 Dec 2000 08:09:47 -0600 (CST)
Cc: carney@securecomputing.com (Mike Carney), sridharj@future.futsoft.com, antonio.barrera@nokia.com, ipsec@lists.tislabs.com
In-Reply-To: <Pine.LNX.4.21.0011302303010.8632-100000@janpc-home.cisco.com> from "Jan Vilhuber" at Nov 30, 2000 11:04:28 PM
Sender: owner-ipsec@lists.tislabs.com

> > 
> > How about if B initiates a Phase 1 (if it can based on it's static configuration)
> > in order to send an protected "unknown SPI" notify message? (Rate limited of
> > course). 
> > 
> As was pointed out, that could be a denial of service attack, i.e. someone
> could be sending you bogus ipsec packets, causing you to initiate a phase 1
> (doing all associated computations).

Ahh good point.  However the DOS is not too terrible as Phase 1 lifetimes
are usually pretty large, and B would only initiate Phase 1's to Gateways
for which it has a static policy and no existing Phase 1.

Regards,
Michael Carney
> 
> jan
>  --
> Jan Vilhuber                                            vilhuber@cisco.com
> Cisco Systems, San Jose                                     (408) 527-0847
> 
>

Follow-Ups:

Re: Synchronisation in IKE

From: Jan Vilhuber <vilhuber@cisco.com>

Prev by Date: Request - help needed
Next by Date: DH vs. RSA use for symmetric key exchange
Prev by thread: Re: Synchronisation in IKE
Next by thread: Re: Synchronisation in IKE
Index(es):
- Main
- Thread