[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: RESEND: Thoughts on identity attacks





> Phill,
>
> Have you read the JFK draft?

Have you read my extensive comments on the JFK draft posted to the list?
 
> The idea of a generalized cookie mechanism for IP/TCP is 
> something I've
> toyed with. For applications where you don't necessarily want 
> to do IPsec,
> but DoS attacks are very important (e.g. wireless, 
> specifically IP paging),
> it would be nice if your access router could generate an
> ICMP_ROUTABILITY_TEST message which would force the initiator 
> to retry with
> a nonce/cookie.

I don't think that has much value. For the cookie to be useful it
really has to be strongly bound to a particular request and a specific
IP port. Otherwise an attacker can get one legitimate cookie and then
SPAM you to death with it. 

		Phill

Phillip Hallam-Baker (E-mail).vcf