[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Some comments on JFK
At 7:37 AM -0800 12/7/01, Hallam-Baker, Phillip wrote:
>If al we need to do is to protect against the DoS attack then
>it is better to reconfigure the exchange so that DoS protection is an option
>for the responder if it discovers it is under DoS attack.
That point is not fully agreed on. The optional extra round trip adds
complexity to the protocol because the initiator needs to be ready to
handle two different types of responses. In the simple case, that's
not a big deal, but what happens if a "not under DoS" response is
delayed, the initiator sends the initial request again, and the
responder says "this is fishy and DoS-like, I'm going to respons with
a 'am under DoS' response". The initiator gets the delayed first
response and replies to it.
This is the kind of case where interoperability falls down in IKEv1,
particularly when Vendor X is known to send weird messages at odd
times so Vendors A through W write special code around it. But then
Vendor X realizes the error of its way and doesn't make that mistake
any more, but that special code hangs around forever.
Every optional round trip and every optional message MUST be tightly
scoped in the new protocol, or we can assume that the new protocol
will fall to IKEv1's level of partial interoperability.
--Paul Hoffman, Director
--VPN Consortium
References: