[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: security policy discovery

To: IP Security List <ipsec@lists.tislabs.com>
Subject: RE: security policy discovery
From: Henry Spencer <henry@spsystems.net>
Date: Thu, 12 Sep 2002 23:34:54 -0400 (EDT)
In-Reply-To: <005701c25acf$7eafdd60$3e00010a@caymas.com>
Sender: owner-ipsec@lists.tislabs.com

On Thu, 12 Sep 2002, Satyadeva Konduru wrote:
> In this scenario, is there not a problem of spoofed packets
> unnecessarily setting up tunnels between Bob and Alice. Each think that
> the other side needs a tunnel to send traffic. This could become a
> denial of service attack, especially if the lifetimes are small, since
> both Bob and Alice will keep setting up tunnels and thus make the setup
> of genuine tunnels slow.

Bob and Alice would be well advised to adaptively adjust the lifetime of
the tunnels they set up, so that if they are starting to burn significant
numbers of cycles setting up and tearing down tunnels to the same place,
they lengthen the tunnel life to reduce the overhead.  (Keeping a tunnel
open costs essentially nothing, at least not until rekeying time.)

                                                          Henry Spencer
                                                       henry@spsystems.net

Follow-Ups:
- RE: security policy discovery
  - From: Jan Vilhuber <vilhuber@cisco.com>

References:
- RE: security policy discovery
  - From: "Satyadeva Konduru" <skonduru@caymas.com>

Prev by Date: RE: security policy discovery
Next by Date: RE: security policy discovery
Prev by thread: RE: security policy discovery
Next by thread: RE: security policy discovery
Index(es):
- Date
- Thread