[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RESEND: Thoughts on identity attacks

To: ipsec@lists.tislabs.com
Subject: Re: RESEND: Thoughts on identity attacks
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Wed, 13 Feb 2002 17:34:39 -0500
In-reply-to: Your message of "Wed, 13 Feb 2002 12:04:47 PST." <2F3EC696EAEED311BB2D009027C3F4F405869966@vhqpostal.verisign.com>
Sender: owner-ipsec@lists.tislabs.com


>>>>> "Hallam-Baker," == Hallam-Baker, Phillip <pbaker@verisign.com> writes:
    Hallam-Baker> I agree that the stateless cookie is very
    Hallam-Baker> important. However there is no value in the stateless
    Hallam-Baker> cookie unless you also have the ability to filter out DoS
    Hallam-Baker> attacks from fixed IP addresses. This being the case I
    Hallam-Baker> would rather unpack the stateless cookie and make it a
    Hallam-Baker> part of a DoS package. I much prefer the following scheme:

    Hallam-Baker> 1) All Initiators (aka clients) MUST be capable of
    Hallam-Baker> repeating a request with a stateless cookie if required 2)
    Hallam-Baker> Responders MAY respond to a cookie-less request by
    Hallam-Baker> requesting a cookie.

    Hallam-Baker> This allows the 2 round trip JFK scheme to be reduced to 1
    Hallam-Baker> required and 1 optional round trip. A responder that is
    Hallam-Baker> not going to do anything more sophisticated can require
    Hallam-Baker> cookies on every request. It is not much more work to only

  Ah, choices. 
  I believe it is choices as to whether or not to do use a feature that
causes complexity, not the feature itself.

  I'm for always using cookies.

    Hallam-Baker> trying that approach. So 1 mandatory + 1 optional round
    Hallam-Baker> trip becomes on average 1 round trip. There is a major
    Hallam-Baker> performance difference between 1 round trip and 2 on many
    Hallam-Baker> of the wireless applications.

  What are these wireless applications? How do they differ from VPN, OE,
or per-socket uses?  I'm asking because I don't see 1 round trip vs 2
much a big deal once you factor in DNS lookups (including reverse DNS lookups
on the responder for logging purposes). 

  The only impact that I can see is wireless applications that initiate
from new IP addresses all the time as they roam. MobileIP would not do such
a thing as it would expect an SA from the home address to the peers.

    Hallam-Baker> unnecessary junk. I do not believe that the current set of
    Hallam-Baker> specifications built arround the capabilities of
    Hallam-Baker> engineering workstations is viable when applied to low
    Hallam-Baker> cost embedded devices.

  I'm willing to be convinced that such a profile should exist, but I'm not
sure that it matters to devices that are stationary - they should not be
rekeying often enough to matter.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [

References:
- RE: RESEND: Thoughts on identity attacks
  - From: "Hallam-Baker, Phillip" <pbaker@verisign.com>

Prev by Date: RE: RESEND: Thoughts on identity attacks
Next by Date: RE: RESEND: Thoughts on identity attacks
Prev by thread: RE: RESEND: Thoughts on identity attacks
Next by thread: RE: RESEND: Thoughts on identity attacks
Index(es):
- Date
- Thread