RE: Some comments on JFK

[Paul Hoffman / VPNC <paul.hoffman@vpnc.org>]

At 7:37 AM -0800 12/7/01, Hallam-Baker, Phillip wrote:
>If al we need to do is to protect against the DoS attack then
>it is better to reconfigure the exchange so that DoS protection is an option
>for the responder if it discovers it is under DoS attack.

That point is not fully agreed on. The optional extra round trip adds 
complexity to the protocol because the initiator needs to be ready to 
handle two different types of responses. In the simple case, that's 
not a big deal, but what happens if a "not under DoS" response is 
delayed, the initiator sends the initial request again, and the 
responder says "this is fishy and DoS-like, I'm going to respons with 
a 'am under DoS' response". The initiator gets the delayed first 
response and replies to it.

This is the kind of case where interoperability falls down in IKEv1, 
particularly when Vendor X is known to send weird messages at odd 
times so Vendors A through W write special code around it. But then 
Vendor X realizes the error of its way and doesn't make that mistake 
any more, but that special code hangs around forever.

Every optional round trip and every optional message MUST be tightly 
scoped in the new protocol, or we can assume that the new protocol 
will fall to IKEv1's level of partial interoperability.

--Paul Hoffman, Director
--VPN Consortium

---

References:

• RE: Some comments on JFK
• From: "Hallam-Baker, Phillip" <pbaker@verisign.com>

---

• Prev by Date: Re: discussion of SIGMA-IKE
• Next by Date: RE: Please save the pre-shared key mode
• Prev by thread: Re: Some comments on JFK
• Next by thread: Re: LAST CALL: NAT TRAVERSAL DRAFTS
• Index(es):
  • Main
  • Thread