[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Ipsec] new internet draftt - draft-touch-anonsec



Hi Joe

I will subscribe to the tcpm list for the details on the RST ACK storm,
I guess this could be used as an amplifier for an attack if I understand
you correctly.

See below for comments on IKE
> > Finally, as is widely discussed, IKEv1 is not the most 
> robust protocol
> > as far as responsiveness to DOS attacks. By requiring these 
> nodes to do
> > IKE, I think we would opening ourselves up for more problems.
> > 
> > Regards,
> > 
> > Bora
> 
> I don't appreciate enough of the details between IKEv1 and IKEv2 to 
> understand whether that would solve the problem.
> 
> I would presume that IKE would be rate-limited, i.e., the 
> same way SYN 
> processing is for TCP, to protect new association requests from 
> assaulting existing associations. Is that the issue with DOS 
> for IKEv1, 
> or is there something more specific?
> 
> Joe
IKEv1 creates state for each new connection on the first packet, so does
IKEv2
unless the cookie option is used which is left as a non-mandatory
feature
in the draft only to be activated when the system detects its under
attack.

Due to this, I think moving the security problem down to IKE does not
solve
it, it just shifts it.

Thanks for your comments,

Bora


_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec