[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: security policy discovery

To: <Charlie_Kaufman@notesdev.ibm.com>, "'Pars Mutaf'" <mutaf@docomolabs-usa.com>
Subject: RE: security policy discovery
From: "Satyadeva Konduru" <skonduru@caymas.com>
Date: Thu, 12 Sep 2002 19:44:34 -0700
Cc: <ipsec@lists.tislabs.com>, <owner-ipsec@lists.tislabs.com>
Importance: Normal
In-Reply-To: <OF8CB1BC0D.1DFC8870-ON85256C32.007040EB-85256C32.007196DC@iris.com>
Sender: owner-ipsec@lists.tislabs.com


> One could imagine, however, Bob seeing the unprotected
> packet and letting that trigger an IKE SA setup. The
> initial TCP SYN would be dropped, but if it was still
> being retried when the ESP SA comes up, Alice would send
> one of the retried packets inside the ESP SA and the
> conversation would ensue. Alternately, one could
> imagine Bob passing on a limited class of packets (like
> TCP SYN) and letting the response packet trigger the
> setup of the ESP SA.

In this scenario, is there not a problem of spoofed packets
unnecessarily setting up tunnels between Bob and Alice. Each think that
the other side needs a tunnel to send traffic. This could become a
denial of service attack, especially if the lifetimes are small, since
both Bob and Alice will keep setting up tunnels and thus make the setup
of genuine tunnels slow.

-Satyadeva Konduru
Caymas Systems Inc.

Follow-Ups:
- RE: security policy discovery
  - From: Henry Spencer <henry@spsystems.net>

References:
- Re: security policy discovery
  - From: Charlie_Kaufman@notesdev.ibm.com

Prev by Date: Re: security policy discovery
Next by Date: RE: security policy discovery
Prev by thread: Re: security policy discovery
Next by thread: RE: security policy discovery
Index(es):
- Date
- Thread