[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Protection against DoS attack

To: <ipsec@lists.tislabs.com>
Subject: Protection against DoS attack
From: "David Faucher" <dfaucher@lucent.com>
Date: Mon, 25 Nov 2002 10:11:52 -0600
Sender: owner-ipsec@lists.tislabs.com

Section 4.4 of draft-ietf-ipsec-ikev2-03.txt states
that there is a denial of service attack on the initiator
that can be avoided if the initiator takes proper care.

Is it worth the added complexity of having the initiator
accept multiple responses to its first message and are we
just trading one DoS for another?

Since there is a significant amount of processing associated 
with creating message 3, an implementation would presumably
limit the number of responses it is willing to accept. An attacker
could flood the initiator with enough bogus responses to still 
poison the connection setup.

David

Prev by Date: Re: Generating Keying Material
Next by Date: RE: Counter Mode Security: Analysis and Recommendations
Prev by thread: Changing the cookie order in IKEv2
Next by thread: I-D ACTION:draft-ietf-ipsec-dpd-01.txt
Index(es):
- Date
- Thread