[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Ipsec] new internet draftt - draft-touch-anonsec
Hi Joe
I will subscribe to the tcpm list for the details on the RST ACK storm,
I guess this could be used as an amplifier for an attack if I understand
you correctly.
See below for comments on IKE
> > Finally, as is widely discussed, IKEv1 is not the most
> robust protocol
> > as far as responsiveness to DOS attacks. By requiring these
> nodes to do
> > IKE, I think we would opening ourselves up for more problems.
> >
> > Regards,
> >
> > Bora
>
> I don't appreciate enough of the details between IKEv1 and IKEv2 to
> understand whether that would solve the problem.
>
> I would presume that IKE would be rate-limited, i.e., the
> same way SYN
> processing is for TCP, to protect new association requests from
> assaulting existing associations. Is that the issue with DOS
> for IKEv1,
> or is there something more specific?
>
> Joe
IKEv1 creates state for each new connection on the first packet, so does
IKEv2
unless the cookie option is used which is left as a non-mandatory
feature
in the draft only to be activated when the system detects its under
attack.
Due to this, I think moving the security problem down to IKE does not
solve
it, it just shifts it.
Thanks for your comments,
Bora
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec