Re: Choosing between IKEv2 and JFK

[Dan Harkins <dharkins@tibernian.com>]

  I respectfully disagree with statement "both protocols are resistant
to DoS attacks based on computational loading." Because JFK does not
bind the authenticator blob to the initiator it is susceptible to a
varient of Simpson's "cookie jar" attack. IKEv2 is not because its 
"stateless cookie" is bound to the initiator.

  It would be trivial to fix this problem but I guess the authors do
not intend on fixing it since I first brought it up during the SLC IETF
with the -00.txt version of JFK and it was not fixed in the -01.txt
version.

  This is a significant difference between the two.

  Dan.

On Wed, 06 Mar 2002 16:59:47 PST you wrote
> 
> DoS PROTECTION and COOKIE EXCHANGE
> IKEv2 uses a variable-round-trip handshake, with 4 messages 
> under normal circumstances and 6 under attack. The extra
> two messages are a simple cookie exchange designed to force
> the attacker to prove that he has a round-trip to the responsder.
> 
> JFK uses 4 messages in all cases. DoS protection is achieved by
> not creating JFK state until message 3 has been read.
> 
> Discussion:
> Both protocols are resistant to DoS attacks based on computational
> loading. JFK is slightly more network efficient under attack because
> it has two fewer messages. However, it is more susceptible to an IP
> fragmentation memory consumption attack where the attacker sends a
> series of partial messages to consume reassembly buffers, thus
> blocking delivery of legitimate fragmented message 3s.  If one assumes
> a rather intimate relationship between IKEv2 and the TCP stack, IKEv2
> is less susceptible to this attack.