[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSEC Security Gateways & NAT
"jshukla" <jshukla@earthlink.net> writes:
> This is a very good point! In pre-shared key based
> authentication, there is no reason that the authentication
> must wait until the DH related work is done. Authenticating
> prior to DH can potentially make the IKE even more
> resistant to DoS attacks under pre-shared key. Already the
> anti-clogging cookies ensures that the attacker must perform
> almost equal amount of work until message 4. With source
> authentication before DH, we need not perform the work that
> is necessary to process message 5.... if the source is not
> authenticated.
However in order for pre-shared key to work as you suggest
(authentication before DH) you have to know a-priori the ID of your
peer in order to perform the authentication. This implies that
either:
a) you have to deny ID protection and send IDs in
the clear early in the protocol, or
b) you have use IP Addresses as names.
You cannot use IP Addresses as names when traversing NAT, because the
IP Address is going to be changed by the NAT gateway to an unknown
address. So, you either have to send IDs in the clear, or you have to
perform the DH first.
Note than an attacking initiator need not request pre-shared keys in
order to mount a DDoS attack against a responder. Other
authentication means are just as susceptible.
> regards,
> Jayant
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available
Follow-Ups:
References: