[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Synchronisation in IKE

On Fri, 1 Dec 2000, Mike Carney wrote:

> > > 
> > > How about if B initiates a Phase 1 (if it can based on it's static configuration)
> > > in order to send an protected "unknown SPI" notify message? (Rate limited of
> > > course). 
> > > 
> > As was pointed out, that could be a denial of service attack, i.e. someone
> > could be sending you bogus ipsec packets, causing you to initiate a phase 1
> > (doing all associated computations).
> Ahh good point.  However the DOS is not too terrible as Phase 1 lifetimes
> are usually pretty large, and B would only initiate Phase 1's to Gateways
> for which it has a static policy and no existing Phase 1.
True. But I've heard of people talking about gateway discovery. Once you
throw something that that into the picture, you might have more of a problem
(depends on how gateway discovery is implemented).

Also, I'm not entirely convinced that it's not 'too terrible'. If you have
lots of configured peers, and you can be fooled to initiate to them all at
once, then that's a problem. How big of a problem, I'm not sure. It may not
be an issue (especially for those with hardware help). On the other hand of
1000 routers can be coerced to begin a phase 1 with YOU, then that's akin to
the distributed denial of service attacks launched recently with ping.

It all depends on your paranoia level, I suppose.

Jan Vilhuber                                            vilhuber@cisco.com
Cisco Systems, San Jose                                     (408) 527-0847