[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC Security Gateways & NAT

To: "Chen, David" <dchen@ellacoya.com>
Subject: Re: IPSEC Security Gateways & NAT
From: Derek Atkins <warlord@mit.edu>
Date: 19 Jun 2001 13:25:08 -0400
Cc: jshukla <jshukla@earthlink.net>, "'Dan Harkins'" <dharkins@lounge.org>, ipsec@lists.tislabs.com
In-Reply-To: "Chen, David"'s message of "Tue, 19 Jun 2001 10:34:43 -0400"
References: <85D31AAF3DFCD4119C44000102C009707DD77E@mail.ellacoya.com>
Sender: owner-ipsec@lists.tislabs.com

"Chen, David" <dchen@ellacoya.com> writes:

> Derek,
> 
> Id protection is important.
> 
> That's why today's IKE exchange ID and authentication peer after secured
> communication channel - i.e. DH-key exchange.

Except that with pre-shared keys, there is no ID protection.  The
ID must be the Source IP Address, and that is world-visible to anyone.
All the other mechanisms hide the ID within the DH.

> In the real world, one person have several different ids in different domain
> of society.  Each of them has different function and "privacy".
> However, collectively, these Ids perceived by environment as an unique Id.
> 
> The suggestion here, is adding one *more* id beside what IKE had
> to improve IKE's resistance to DOS attack.

The difference is that generally one does not use multiple identities
during one transaction.  Any single transaction generally uses one
single identity.  For example, you present your credit card to a
merchant, or you present your driver's license to a police officer,
or you present your passport to a custom's agent.

You are proposing IKE have TWO identities per transaction.  The first
is a pre-shared host key based upon some publically visible name (SIP
or a message-1/message-2 ID payload) and the second is some other
authentication based upon a protected identity.

I think many people believe that this added complexity is not worth
the benefits.  Because I _know_ that IP Address 1.2.3.4 is bombarding
me with IKE traffic (real or not), I can just throttle that traffic
down.  Your added cleartext-identity with pre-shared key:
	a) doesn't scale, and
	b) doesn't protect you from a DDoS zombie.

> It will not reduce today's Id protection security but
> add one more to reduce DOS attack.

Considering there is no ID protection in pre-shared keys, it could
hardly reduce it any more.

> You have a nice vacation-flight to UK.
> 
> I will land mine in my backyard.

Who said anything about Vacation?  I was referring to the IETF Meeting
in August.

> --- David

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available

References:

RE: IPSEC Security Gateways & NAT

From: "Chen, David" <dchen@ellacoya.com>

Prev by Date: Re: IPSEC Security Gateways & NAT
Next by Date: RE: IPSEC Security Gateways & NAT
Prev by thread: RE: IPSEC Security Gateways & NAT
Next by thread: RE: IPSEC Security Gateways & NAT
Index(es):
- Main
- Thread