[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SOI: identity protection and DOS

To: Michael Thomas <mat@cisco.com>
Subject: Re: SOI: identity protection and DOS
From: Henry Spencer <henry@spsystems.net>
Date: Tue, 20 Nov 2001 13:30:30 -0500 (EST)
cc: ipsec@lists.tislabs.com
In-Reply-To: <15354.38399.325950.303332@thomasm-u1.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

On Tue, 20 Nov 2001, Michael Thomas wrote:
>    ...On average, people don't take
>    the same precautions gaurding their home as
>    they do nuclear arsenals. Nor should they; the
>    risk if compromised is small and the expense
>    is prohibitive. That is, we should make the
>    average case reflect the actual risk/expense
>    instead of erring on the paranoid.

I partly agree.  Which, of course, means I disagree.  There needs to be
some consideration of cost-effectiveness.  But if we must err, we most
definitely should err on the paranoid side.

In particular, if the added cost to protect *everything* well is small,
then we should not fool around with giving some things protection and
leaving others exposed.  If we try to be selective, there is always the
possibility that we will make mistakes; moreover, we advertise that
there's stuff that needs protecting here. 

As witness the IKEv2 proposal, the suggested dichotomy is false.  You can
do full identity protection and it can still be cheaper than today's IKE
without it.

                                                          Henry Spencer
                                                       henry@spsystems.net

References:

Re: SOI: identity protection and DOS

From: Michael Thomas <mat@cisco.com>

Prev by Date: Re: SOI: identity protection and DOS
Next by Date: Re: SOI: identity protection and DOS
Prev by thread: Re: SOI: identity protection and DOS
Next by thread: Re: SOI: identity protection and DOS
Index(es):
- Main
- Thread