[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SOI: identity protection and DOS
The IPSec is id-protection first (DH-key exchange) then authentication.
As long as can device a mechanism that the DDOS attacker has
to spend larger or equal amount of resource than the been attacked,
it will be home free.
I don't see how the DH-key exchange can achieve this goal.
Also, the cookies before DH-key exchange only validate the attacker's
address.
It does not make attacker consume greater or eaqual amount of resource than
been attacked.
Regards,
--- David
----- Original Message -----
From: "Henry Spencer" <henry@spsystems.net>
To: "Michael Thomas" <mat@cisco.com>
Cc: <ipsec@lists.tislabs.com>
Sent: Monday, November 19, 2001 5:28 PM
Subject: Re: SOI: identity protection and DOS
> On Mon, 19 Nov 2001, Michael Thomas wrote:
> > ...IMO, identity protection is
> > overblown. If by simple traffic analysis I see a
> > static IP address for a server which I can reverse
> > map, and even a dynamic address which I can
> > reverse map to a particular POP, a determined
> > attacker is probably going to have a pretty good
> > idea that you're visiting naughtybits.com...
>
> As others have noted already, an identity can be more than just an IP
> address, and protection for parts of it may be desirable.
>
> I would add that, other things being equal, the fullest possible
> protection of everything should be the default, not an option. That way,
> users with truly sensitive material aren't prominently advertised as such
> by the fact that they're the only ones using protection.
>
> (Of course, that "other things being equal" covers a multitude of sins.
> Whether identity protection justifies an extra round trip is a harder
> question than whether it justifies a few more CPU cycles.)
>
> Henry Spencer
> henry@spsystems.net
>
>
Follow-Ups:
References: