[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: ipsec error protocol
This issue seems to flood the list on a regular schedule and then go
completely silent for awhile (and that is partly my fault). Seeing that none
of the "new" proposals are really all that new, I hope everyone involved has
at least gone back and re-read the discussion from the last few times
around.
My concern is that people keep advancing ideas that seem simple on the
surface, but if you examine them closely you see hidden vulnerabilities or
interoperability problems. Many of these are due to existing problems with
IKE, but since we are not allowed to change IKE, we cannot ignore them.
Some of my concerns:
- Any mechanism which relies on invalid SPI notifies or acknowledged deletes
will not interoperate with dangling SA implementations.
- The use of birth certificates effectively requires continuous channel mode
as well. (Or at least it requires you to remember a large portion of the
information in the phase 1 SA, such as the peer's identity & public key.)
- DoS prevention is the only real reason to have secure black hole
detection, but a solution which sacrifices worst case performance for
improved average case performance will be extremely vulnerable to a DoS
attack.
It appears to me that reaching consensus on this issue through discussion
alone is less likely than a lasting Palistine-Israeli peace accord.
Ultimately, the market will decide, and I fear that the market will give no
weight to the issue of DoS avoidance.
Andrew
-------------------------------------------
Upon closer inspection, I saw that the line
dividing black from white was in fact a shade
of grey. As I drew nearer still, the grey area
grew larger. And then I was enlightened.
Follow-Ups:
References: