[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE-SIGMA: draft-krawczyk-ipsec-ike-sigma-00.txt

To: Hugo Krawczyk <hugo@ee.technion.ac.il>
Subject: Re: IKE-SIGMA: draft-krawczyk-ipsec-ike-sigma-00.txt
From: Brian Hunter <brian.hunter@sit.fraunhofer.de>
Date: Fri, 23 Nov 2001 17:32:43 +0100
CC: ipsec list <ipsec@lists.tislabs.com>
References: <Pine.GSO.4.21.0111221341290.11614-100000@ee.technion.ac.il>
Sender: owner-ipsec@lists.tislabs.com

Hello Hugo,

Thanks, I now better understand the costs of my proposal and why it
wasn't already pursued.  I will just add a couple of comments.

> RC is a defense for R not for I.
My thoughts in this regard were that denying I, for any number of
different Is, a valid IKE session IS a DoS against R since R cannot
service valid I requests.  Of course the affected Is would be a subset
of all Is since the attacker must have access to read message 1 and 2 of
the exchanges.  I was thinking that this type (and all possible types)
of denied service should be prevented.

However, due to the rarity of the attack and the additional
computational costs for RC generation (as you point out, 3-10 times
extra work) needed by the prevention scheme, I see that my idea has a
high cost/benefit ratio.  I also realize that my idea would work against
the effectiveness of the save-the-resources-RC by requiring more
computations by R.

Thank you for your explanations and feedback.

Brian

References:

Re: IKE-SIGMA: draft-krawczyk-ipsec-ike-sigma-00.txt

From: Hugo Krawczyk <hugo@ee.technion.ac.il>

Prev by Date: Re: Regardind IPsec Databases
Next by Date: routing and outbound.
Prev by thread: Re: IKE-SIGMA: draft-krawczyk-ipsec-ike-sigma-00.txt
Next by thread: Suse Linux 7.3 and VPN
Index(es):
- Main
- Thread