Re: SOI: identity protection and DOS

[Sandy Harris <sandy@storm.ca>]

david chen wrote:
> 
> The IPSec is id-protection first (DH-key exchange) then authentication.
> As long as can device a mechanism that the DDOS attacker has
> to spend larger or equal amount of resource than the been attacked,
> it will be home free.

Not really. That'a a reasonable goal, and may be enough to stop an attacker
with limited resources, but you're hardly "home free".

For one thing, many IPsec gateways are fairly limited devices -- older
machines recycled as FreeS/WAN or *BSD gateways, low-cost dedicated devices,
routers that may be older or bottom-of-line models, ... -- and methinks we
do want those devices to be secure and reliable if possible.

Also, an EvilDoer is not constrained to use only his own resources. He 
can fairly easily find a few dozen badly administered machines around
the net, subvert them, and use their resources to attack you. At that
point, he both has more resources than you and isn't paying for them,
so if you want to stop him via resource constraints, then the attack
has to be really expensive.

What if he writes a virus and gets thousands of infected machines to
attack you?

---

Follow-Ups:

• Re: SOI: identity protection and DOS
• From: "david chen" <ietf_davidchen@hotmail.com>

References:

• Re: SOI: identity protection and DOS
• From: Henry Spencer <henry@spsystems.net>
• Re: SOI: identity protection and DOS
• From: "david chen" <ietf_davidchen@hotmail.com>

---

• Prev by Date: Re: IKEv2 (son-of-ike) draft
• Next by Date: Re: Just Fast Keying (JFK) draft
• Prev by thread: Re: SOI: identity protection and DOS
• Next by thread: Re: SOI: identity protection and DOS
• Index(es):
  • Main
  • Thread