Re: IPSEC Security Gateways & NAT

[Dan Harkins <dharkins@lounge.org>]

On Tue, 19 Jun 2001 09:25:31 PDT you wrote
> 
> Right! The point is that pre-shared keys based authentication
> can be made more robust against DoS attacks compared to
> the other three authentication methods. In their current form,
> all authencitation methods are susceptible to DoS attacks.

The DoS attack mounted against IKE is one that exploits the fact that 
the responder creates state upon receipt of a single message from the 
initiator. That will not be addressed by moving the authentication
step. It will be addressed by further complicating the protocol with
a new stateless "cookie request" option. 

Your suggestion to move the authentication step would further complicate
the protocol. The way it is now there is a uniform progression of state
for each of the authentication methods. As someone who has implemented
this protocol I can tell you it makes it much simpler to code that way.

As has been pointed out repeatedly in this thread (and in the past) a
DoS attack that attempts to force the responser to do needless Diffie-
Hellman work would expose its IP address and the attack could be properly
addressed because of it.

There are all sorts of changes that can be made to IKE but one that
would make the protocol much more complicated for such a small (perhaps 
even non-existent) benefit is not something we should consider.

  Dan.

---

Follow-Ups:

• Re: IPSEC Security Gateways & NAT
• From: "jshukla" <jshukla@earthlink.net>
• Re: IPSEC Security Gateways & NAT
• From: Ari Huttunen <Ari.Huttunen@F-Secure.com>

References:

• Re: IPSEC Security Gateways & NAT
• From: "jshukla" <jshukla@earthlink.net>

---

• Prev by Date: Re: IPSEC Security Gateways & NAT
• Next by Date: Re: IPSEC Security Gateways & NAT
• Prev by thread: Re: IPSEC Security Gateways & NAT
• Next by thread: Re: IPSEC Security Gateways & NAT
• Index(es):
  • Main
  • Thread