Re: IKEv2 & DoS protection (whoops. resend)

[Radia Perlman - Boston Center for Networking <Radia.Perlman@sun.com>]

Sorry about that. Somehow my computer assumed I'd said enough already
and sent the message I was in the middle of typing. I hate computers.


**************************
Actually, it's easy to have IKEv2 have a stateless cookie in a 4 message
exchange. Dan and Charlie and I argued about it. The way to
do a 4 message exchange is to have Alice repeat her info from
message 1 in message 3. We mentioned this in our paper last year, and I
believe Ran's proposal also did that. I was actually arguing for
that, but the arguments against it were:

a) with DDOS, the cookie doesn't help much, so it would be a rare
case where it mattered
b) assuming the most common case is where Bob doesn't request
return of a stateless cookie, the 4-message protocol takes more
bandwidth because message 3 is bigger
c) we figured people wouldn't care about the extra round trip since
at the time we were the only proposal and we figured people would
be happy enough with decreasing the number of messages from 9 to usually
4 and occasionally 6.
d) it makes the protocol a little harder to read and understand because
there are more of these SA,KE, ... thingies to read.

So the extra round trip vs a larger message 3 is completely a taste thing,
and easy to change if that's what the WG wants.

Radia

---

Follow-Ups:

• RE: IKEv2 & DoS protection (whoops. resend)
• From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>

---

• Prev by Date: RE: Please save the pre-shared key mode
• Next by Date: Re: Son-of-IKE Performance
• Prev by thread: Re: UDP encapsulation of IKE for NAT traversal
• Next by thread: RE: IKEv2 & DoS protection (whoops. resend)
• Index(es):
  • Main
  • Thread