[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: isakmp cookies field
Cookies provide you reachability, which implies that the initiator is
actually interested in an IKE exchange, and is actually at the
specified IP address (or at least somewhere along the route to that
peer address). This prevents a DoS attack where the attacker sends
out a forged IP Address, because the responder does no real work until
message 3 (and the attacker wont receive message 2 which contains the
server cookie).
Cookies do not prevent an attacker from attempting DoS from their own
IP Address.. However, then you at least have the IP address of the
host causing problems, and you can just block it or rate-limit it.
-derek
Shoichi Sakane <sakane@kame.net> writes:
> if nodes which would start to communicate knew the local secret information,
> yes, the cookie function could prevent from the attack. but the local
> secret information is known by the entity that creates a cookie.
> Or does nodes have to share any local secret information before the
> isakmp negotiation is started.
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available
References: