[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: isakmp cookies field
> could anybody tell me what the benefit of the isakmp cookie field is ?
> i think the cookie indicates just isakmp spi. does it have any function
> to prevent from dos attack ?
using cookies is the feature of Oakley algorithm(used by ISAKMP)
these cookies are used to thwart clogging attacks.
in this attack, the opponent forges the src address of a legitimate user and
sends a public DH key to victim,
the victim then performs the modular exponentiation to compute secret key,
Repeated messages of this type can clog the victims system with useless
work, thus exhausting cpu resource to perform modular exponentiation.
The technique of cookie exchange requires that each side send a
pseudo-random number , the cookie , in the initial message, which other side
acknowledges
This acknowledgement must be repeated in the first message of DH key
exchange. If src address is forged , the opponent gets no answer, thus an
opponent can only force user to generate acknowledgements and not to perform
the DH modular exponentiation.
ISAKMP mandates that cookie generation must satisfy three basic
requirements.
1. The cookie must depend on specific parties.
2. It must not be possible for anyone otherthan issueing entity to generate
cookies that will be accepted by that entity, that is, cookie generation
should be based on some local secret.
3. cookie generation and verification methods must be fast to thwart attacks
intended to sabotage the processor resources..
References: