[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPSEC Security Gateways & NAT

To: "'Chen, David'" <dchen@ellacoya.com>, "'Dan Harkins'" <dharkins@lounge.org>
Subject: RE: IPSEC Security Gateways & NAT
From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>
Date: Thu, 14 Jun 2001 14:26:47 -0400
Cc: <ipsec@lists.tislabs.com>
Importance: Normal
In-Reply-To: <85D31AAF3DFCD4119C44000102C009707DD769@mail.ellacoya.com>
Reply-To: <andrew.krywaniuk@alcatel.com>
Sender: owner-ipsec@lists.tislabs.com

> If you pre-comp a set of prime numbers for DH-key exchange...
> These can use only one time and they are consumed faster then
> you can come
> up new ones.
> This is the DOS idea that keep the IPSec responder so busy
> (meaninglessly)
> that
> no time for other meaningful activities.
> Recycling prime numbers for DH-key exchange is a
> implementation mistake???

As Dan said, the numbers you pre-computer are not prime. I should also point
out that it is normally acceptable to recycle the precomputed DH values if
the exchange fails.

Andrew
-------------------------------------------
Upon closer inspection, I saw that the line
dividing black from white was in fact a shade
of grey. As I drew nearer still, the grey area
grew larger. And then I was enlightened.

References:

RE: IPSEC Security Gateways & NAT

From: "Chen, David" <dchen@ellacoya.com>

Prev by Date: RE: IPSEC Security Gateways & NAT
Next by Date: Re: IPSEC Security Gateways & NAT
Prev by thread: Re: IPSEC Security Gateways & NAT
Next by thread: RE: IPSEC Security Gateways & NAT
Index(es):
- Main
- Thread