[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: compare-jfk-sigma.txt

To: Derek Atkins <warlord@mit.edu>
Subject: Re: compare-jfk-sigma.txt
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Wed, 5 Dec 2001 19:56:20 +0200 (IST)
cc: Ran Canetti <canetti@watson.ibm.com>, ipsec@lists.tislabs.com
In-Reply-To: <sjm3d2pipwj.fsf@benjamin.ihtfp.org>
Sender: owner-ipsec@lists.tislabs.com

On 5 Dec 2001, Derek Atkins wrote:

> Hugo Krawczyk <hugo@ee.technion.ac.il> writes:
> 
> > Note that the poor initiator cannot amortize the costs of this 
> > signature verification!
> 
> This is actually a feature for DoS protection -- you want the
> initiator to do as much if not more work than the responder.
> 
> -derek
> 

Derek,

That's a beautiful idea!
Let's add 17 such signature verifications to the initiator
so to increase DoS protection.

There is just a little catch here: the only initiators that need
to do this verification are the legitimate ones. The DoS attacker
does not need to verify anything!

So it's a bug, dear, not a feature...

Hugo

References:

Re: compare-jfk-sigma.txt

From: Derek Atkins <warlord@mit.edu>

Prev by Date: Comments on IKEv2
Next by Date: Re: compare-jfk-sigma.txt
Prev by thread: Re: compare-jfk-sigma.txt
Next by thread: Re: compare-jfk-sigma.txt
Index(es):
- Main
- Thread