[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPSEC Security Gateways & NAT



Derek,
I heard that DDOS can steal someone's computer (with IP address) to 
perform the attack.
Also, it could be an unreachable IP address the attacker invented (or
plotted).

The IP addess seems meaningless, unless
it is linked to a auth method such as preshared key.

Regards,

--- David


-----Original Message-----
From: Derek Atkins [mailto:warlord@MIT.EDU]
Sent: Thursday, June 14, 2001 3:50 PM
To: Chen, David
Cc: 'Dan Harkins'; ipsec@lists.tislabs.com
Subject: Re: IPSEC Security Gateways & NAT


Well, it's not -random- DoS.  The attacker must at least respond
to message 2 with message 3 before the responder will do any work.
This implies that the attacker must make their actual IP address
known to the attacked.

So, you may be forced to execute a DH exponentiation as a responder,
but you at least know _WHO_ (IP Address) caused you to perform the
operation.

-derek

"Chen, David" <dchen@ellacoya.com> writes:

> Dan,
> 
> Exactly, today's phase 1
> do DH key number crunching before auth the peer.
> (well I think it is only intend to check integrity of the messages,
> but pre-shared key having more than that it also auth peer.)
> 
> DH key generation cost much more than simple pass-phrase verification.
> 
> Random DOS attacks can be reduced, if responder
> auth peer first (first tier auth) before crunching the DH-key.
> 
> Regards,
> 
> --- David
> 
> 
> 
> -----Original Message-----
> From: Dan Harkins [mailto:dharkins@lounge.org]
> Sent: Thursday, June 14, 2001 2:36 PM
> To: Chen, David
> Cc: ipsec@lists.tislabs.com
> Subject: Re: IPSEC Security Gateways & NAT 
> 
> 
>   No, the DH secret is generated *before* authentication. Re-read the RFC.
> 
>   Dan.
> 
> On Thu, 14 Jun 2001 12:45:39 EDT you wrote
> > Dan,
> > 
> > Since the phase 1 goal is to auth DH-key exchange.
> > The DH key is generated *after* auth anyway. 
> > 
> > However,
> > the pre-shared key (pass-phrase) authetication cost less (and stateless)

> > for responder to verify than "public key" authentication.
> > 
> > Regards,
> > 
> > --- David

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available


Follow-Ups: