[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Some comments on JFK

To: "Hallam-Baker, Phillip" <pbaker@verisign.com>
Subject: Re: Some comments on JFK
From: Eric Rescorla <ekr@rtfm.com>
Date: 07 Dec 2001 09:53:39 -0800
Cc: "IP Security List (E-mail)" <ipsec@lists.tislabs.com>
In-Reply-To: "Hallam-Baker, Phillip"'s message of "Fri, 7 Dec 2001 07:37:30 -0800"
References: <2F3EC696EAEED311BB2D009027C3F4F4087060EA@vhqpostal.verisign.com>
Reply-to: EKR <ekr@rtfm.com>
Sender: owner-ipsec@lists.tislabs.com

"Hallam-Baker, Phillip" <pbaker@verisign.com> writes:
> 	I think we need to be very clear as to what the initial round trip
> is achieving. If al we need to do is to protect against the DoS attack then
> it is better to reconfigure the exchange so that DoS protection is an option
> for the responder if it discovers it is under DoS attack.
I totally agree. My read of JFK, however, is that the first round trip
also is required to provide identity protection (which you've said you
don't much care for and I'm not sure I like either.) In this respect
JFK differs from IKEv2 and SIGMA, both of which require an extra round
trip in order to do DoS protection (because they don't have a faster
"no PFS" mode).

-Ekr

References:

RE: Some comments on JFK

From: "Hallam-Baker, Phillip" <pbaker@verisign.com>

Prev by Date: RE: Son-of-IKE Selection Criteria?
Next by Date: RE: Please kill preshared key.
Prev by thread: RE: Some comments on JFK
Next by thread: RE: Some comments on JFK
Index(es):
- Main
- Thread