[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC Security Gateways & NAT



The statelessness seems to exist only in non-stressed circumstances.  
If there really is a resource shortage, such as would occur in a denial 
of service attack, then one needs to start keeping track of resource 
usage, and that means keeping state around, doesn't it?  The stateless
cryptographic cookie seems to have the disadvantage of requiring
extra computation even in the non-attack situation, whereas, the
stateful approach requires no extra work until an attack is underway.

Hilarie

>>> Bill Sommerfeld <sommerfeld@East.Sun.COM> 06/25/01 11:19AM >>>
> Is anyone still interested in Base Mode? It would be possible to create
> a Base Mode where reception of the first message is stateless to the Responder,
> by sending the state back in msg2 encrypted with some locally known symmetric
> key, and verified upon reception in msg3. This modified Base Mode
> could then be used to replace Aggressive Mode. The rationale for changing
> Base Mode would be that nobody's yet really using it (?), and that it's cool :).
> There's a paper by Pekka Nikander explaining the theory of making protocols
> stateless, forget where that is though.

I'd be very interested in seeing a mode which is initially stateless
for the responder; it's a key bit of technology from photuris which
was never carried forward to IKE.

					- Bill


Follow-Ups: