[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: SOI QUESTION: 3.1 DoS protection

Ditto :)

jan


On 24 Jun 2002, Andrew Krywaniuk wrote:

> > 3.1 DoS protection
> >
> > 3.1.A) WRT DOS attacks that exhaust memory or CPU resources,
> > is it more
> > important to always keep the message count at 4, or is it
> > acceptable to add
> > an additional roundtrip of messages when the responder thinks
> > he's under
> > attack?
>
> The additional round-trip approach is better. Since we don't expect to be
> under DoS attack most of the time, the average message count will still be
> 4. When under attack, we should expect severe performance degredation
> anyway. The noise to signal ratio will be so high that it won't make a
> difference if there are 6 messages or 4.
>
> The additional round-trip makes the protocol less intricate and more
> modular. This is just good protocol design.
>
>
> > 3.1.B) WRT UDP fragmentation attack protection, both IKEv2
> > and JFK provide
> > basically equivalent protection. Does anyone care about the
> > details of how
> > JFK or IKEv2 provide this functionality.
>
> Not really. It's a neat idea, but I'm not sure everyone will implement it.
>
>
> > 3.1.C) Is it important to have precomputation of exponentials
> > available for
> > use as a mechanism for protecting against cpu consumption attacks?
>
> Yes and no.
>
> Should you precompute exponentials? Yes, by all means. However, that is a
> local implementation matter that has nothing to do with the protocol.
>
> Do we need to use the technique specified in JFK? No, since that was only
> needed to accomplish feature 3.1.A. As I mentioned above, doing DoS
> protection in 6 messages makes the protocol less intricate and more modular.
>
>
> > 3.2.A)In both IKEv2 and JFK, Alice chooses a Diffie-Hellman group in
> > message one. In IKEv2 if Bob doesn't accept what Alice offers the
> > negotiation starts again. In JFK if Bob doesn't accept what
> > Alice offers
> > but Alice can live with what Bob offers, they continue.
> > Otherwise they
> > start over. Is this an important feature for SOI?
>
> This is an area where SOI has the potential to be harder to implement than
> IKEv1. In IKEv1, aggressive mode always caused problems in expressing
> policy. With main mode, the exchange was self-contained (it could fully
> negotiate all features). With both IKEv2 and JFK it sounds like a
> meta-negotiator class/state-machine (which will retry with new parameters)
> will now be mandatory. Of course there are other reasons why one might want
> a meta-negotiator, so this could be a good thing.
>
> The JFK draft makes the argument that ukases are preferable to negotiation
> of parameters. I disagree, in the sense that the ukases must be handled by a
> meta-negotiator. There is no negotiation within the JFK exchange, but there
> is negotiation within the meta-exchange.
>
>
> > 3.3 Size of messages
> >
> > There is no significant difference in the size of messages in the two
> > protocols.
>
> The repetition of parameters in JFK in order to achieve feature 3.1.A is a
> little bit wasteful. But I agree that there is no significant difference.
>
>
> Andrew
> -------------------------------------------
> There are no rules, only regulations. Luckily,
> history has shown that with time, hard work,
> and lots of love, anyone can be a technocrat.
>
>
>

 --
Jan Vilhuber                                            vilhuber@cisco.com
Cisco Systems, San Jose                                     (408) 527-0847

http://www.eff.org/cafe