[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SOI: identity protection and DOS



The IPSec is id-protection first (DH-key exchange) then authentication.
As long as can device a mechanism that the DDOS attacker has
to spend larger or equal amount of resource than the been attacked,
it will be home free.
I don't see how the DH-key exchange can achieve this goal.
Also, the cookies before DH-key exchange only validate the attacker's
address.
It does not make attacker consume greater or eaqual amount of resource than
been attacked.

Regards,

--- David


----- Original Message -----
From: "Henry Spencer" <henry@spsystems.net>
To: "Michael Thomas" <mat@cisco.com>
Cc: <ipsec@lists.tislabs.com>
Sent: Monday, November 19, 2001 5:28 PM
Subject: Re: SOI: identity protection and DOS


> On Mon, 19 Nov 2001, Michael Thomas wrote:
> > ...IMO, identity protection is
> > overblown. If by simple traffic analysis I see a
> > static IP address for a server which I can reverse
> > map, and even a dynamic address which I can
> > reverse map to a particular POP, a determined
> > attacker is probably going to have a pretty good
> > idea that you're visiting naughtybits.com...
>
> As others have noted already, an identity can be more than just an IP
> address, and protection for parts of it may be desirable.
>
> I would add that, other things being equal, the fullest possible
> protection of everything should be the default, not an option.  That way,
> users with truly sensitive material aren't prominently advertised as such
> by the fact that they're the only ones using protection.
>
> (Of course, that "other things being equal" covers a multitude of sins.
> Whether identity protection justifies an extra round trip is a harder
> question than whether it justifies a few more CPU cycles.)
>
>                                                           Henry Spencer
>                                                        henry@spsystems.net
>
>


Follow-Ups: References: