[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Initiator exposes DOS attack for IKEv2?
Hi all,
Hopefully, I do not misunderstand the draft in this DOS attack scenario.
Welcome any input.
Assume Initiator creates the Diffe-Herman group x public key and sends
the KE payload to the responder in the IKE_SA_INIT exchange. The
responder does not like this group x DH. It should response back with
"INVLID_KE_PAYLOAD" indicating the corrected DH group (see 2.7). Since
IKE_SA_INIT exchange is clear text exchange, there is a possible the
third party acts as the responder to reply this "INVALID _KE_PAYLOAD"
for each initiator' request.
This causes the initiator continues changing the DH group and re-send
the KE payload that the responder wants.
We know DH calculation is very CPU-intensive. Initiator system can have
very bad DOS attack by this scenario. Any comment?
Thanks,
Tom Hu