Re: DoS attack on JFK

[Bill Sommerfeld <sommerfeld@east.sun.com>]

So, this attack is not without risk for the attacker -- someone
monitoring the system under attack can correlate the inbound flood of
message #3 with the source address of the previous message #1's and
use this to trace the attack back to the coordinator.

   Provided that g^r on the Nth message two is the same as the g^r on the
   first message two the attacker knows that all the authenticator blobs are
   all signed by the current HKr. If the first and last g^r differ then the
   attacker starts the attack over.

My understanding was that a JFK implementation could have a pool of
precomputed g^r values to pick from rather than a single "current"
g^r, so this exact method wouldn't work (since each g^r would likely
differ from message to message).  However, it's relatively easy to
modify the attack to compensate for this.

   [... if the initiator ip address is included in the HMAC ...]
   the responder could make note of an unsuccessful decryption from a
   particular IP address and refuse any more messages from it for a
   period of time.

Yah, this would work, but a responder could also blacklist "Ni,Nr"
pairs or HMAC values; that might be a more effective strategy than
blacklisting by source address -- with IPv6, an attacker on a link
which does stateless address autoconfig has access to on the order of
2^64 usable source addresses; and even with ipv4, an attacker might
have access to many valid addresses.

					- Bill