SOI: identity protection and DOS

[Michael Thomas <mat@cisco.com>]

The requirements that Cheryl put out didn't take a
position on identity protection and DOS. That was
probably a smart maneuver, but still I think there
needs to be a consensus view of those requirements
in order to judge protocols. My view is:

1) SOI MUST be capable determining return
   routability in a fashion that does not
   require state to be saved on the responder.
   A SOI peer MUST NOT invoke the return
   routability test unless it feels like it's
   under attack, or configured by policy.

2) SOI SHOULD provide a means to protect
   identities. SOI MUST make protection optional 
   if it reduces the overall number of messages 
   to establish a SA. A SOI peer MUST NOT protect 
   identities by default.

I expect that the last statement is controversial
so let me explain: IMO, identity protection is
overblown. If by simple traffic analysis I see a
static IP address for a server which I can reverse
map, and even a dynamic address which I can
reverse map to a particular POP, a determined
attacker is probably going to have a pretty good
idea that you're visiting naughtybits.com. If you
have a static address, you're even more exposed
(and with v6, this should be the norm). If you
want identity protection, you should really be
using an application layer anonymizer, and not
counting on IKE, or any other L3 mechanism to
cover your tracks.

	 Mike

---

Follow-Ups:

• Re: SOI: identity protection and DOS
• From: Paul Koning <ni1d@arrl.net>
• Re: SOI: identity protection and DOS
• From: Henry Spencer <henry@spsystems.net>

References:

• I-D ACTION:draft-ietf-ipsec-son-of-ike-protocol-reqts-00.txt
• From: Internet-Drafts@ietf.org

---

• Prev by Date: SOI: preshared
• Next by Date: SOI: round tripiness
• Prev by thread: Re: SOI: preshared
• Next by thread: Re: SOI: identity protection and DOS
• Index(es):
  • Main
  • Thread