[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IKEv2 & DoS protection (whoops. resend)

To: "'Radia Perlman - Boston Center for Networking'" <Radia.Perlman@sun.com>
Subject: RE: IKEv2 & DoS protection (whoops. resend)
From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>
Date: Thu, 6 Dec 2001 15:15:19 -0500
Cc: <ipsec@lists.tislabs.com>
Importance: Normal
In-Reply-To: <200112061807.NAA05328@bcn.East.Sun.COM>
Reply-To: <andrew.krywaniuk@alcatel.com>
Sender: owner-ipsec@lists.tislabs.com

> So the extra round trip vs a larger message 3 is completely a
> taste thing,
> and easy to change if that's what the WG wants.

My antecedent message was agreeing with the design decision you eventually
made, so there's no need to apologize for it.

If the goal is to optimize the protocol then optimize the protocol. It would
be silly not to take the average case into account. Repeating the info
allows a 4 message exchange, I guess (as long as you don't require PFS and
you don't accept ad hoc groups), but on average it takes more bandwidth for
the same number of round trips. Of course, this pre-supposes a
non-anarchistic future, in which everyone is not under DoS attack 24 hours a
day...

(What I sometimes bitch about is when people propose an optimization to the
protocol but they candy-coat it by calling it a simplification... <ducking>)

Andrew
-------------------------------------------
There are no rules, only regulations. Luckily,
history has shown that with time, hard work,
and lots of love, anyone can be a technocrat.



> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
> [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Radia Perlman -
> Boston Center for Networking
> Sent: Thursday, December 06, 2001 1:07 PM
> To: ekr@rtfm.com; andrew.krywaniuk@alcatel.com
> Cc: ipsec@lists.tislabs.com
> Subject: Re: IKEv2 & DoS protection (whoops. resend)
>
>
> Sorry about that. Somehow my computer assumed I'd said enough already
> and sent the message I was in the middle of typing. I hate computers.
>
>
> **************************
> Actually, it's easy to have IKEv2 have a stateless cookie in
> a 4 message
> exchange. Dan and Charlie and I argued about it. The way to
> do a 4 message exchange is to have Alice repeat her info from
> message 1 in message 3. We mentioned this in our paper last
> year, and I
> believe Ran's proposal also did that. I was actually arguing for
> that, but the arguments against it were:
>
> a) with DDOS, the cookie doesn't help much, so it would be a rare
> case where it mattered
> b) assuming the most common case is where Bob doesn't request
> return of a stateless cookie, the 4-message protocol takes more
> bandwidth because message 3 is bigger
> c) we figured people wouldn't care about the extra round trip since
> at the time we were the only proposal and we figured people would
> be happy enough with decreasing the number of messages from 9
> to usually
> 4 and occasionally 6.
> d) it makes the protocol a little harder to read and
> understand because
> there are more of these SA,KE, ... thingies to read.
>
> So the extra round trip vs a larger message 3 is completely a
> taste thing,
> and easy to change if that's what the WG wants.
>
> Radia
>
>

References:

Re: IKEv2 & DoS protection (whoops. resend)

From: Radia Perlman - Boston Center for Networking <Radia.Perlman@sun.com>

Prev by Date: Re: compare-jfk-sigma.txt
Next by Date: RE: Please save the pre-shared key mode
Prev by thread: Re: IKEv2 & DoS protection (whoops. resend)
Next by thread: Re: WG LAST CALL: draft-ietf-ipsec-sctp-02.txt
Index(es):
- Main
- Thread