[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Ipsec] new internet draftt - draft-touch-anonsec



1) MM has its own issues coupled with the fact that it takes 6 messages
to get anything done. What's next, a MM exchange for each DNS request.
2) If the DOS attacks are coming from machines that are "owned" MM
has very similar properties to aggressive mode.
3) IKE for the purpose of off-path transport layer attacks is 
like using a jack hammer to drive a thin nail on a picture frame.
4) The proposed approach which is really equivalent to a pre-shared key
that is hard coded into every IKE implementation opens us up for even
more issues.

I think the basic idea has merit, i.e. for certain 
applications the receiver must be in control of who it talks to.
I am not sure IKE is the way to go for this.

Bora


> -----Original Message-----
> From: Michael Richardson [mailto:mcr@sandelman.ottawa.on.ca] 
> Sent: Friday, May 07, 2004 10:53 AM
> To: Bora Akyol
> Cc: 'Joe Touch'; 'ipsec mailingList'
> Subject: Re: [Ipsec] new internet draftt - draft-touch-anonsec 
> 
> 
> 
> >>>>> "Bora" == Bora Akyol <bora@cisco.com> writes:
>     Bora> Finally, as is widely discussed, IKEv1 is not the 
> most robust protocol
>     Bora> as far as responsiveness to DOS attacks. By 
> requiring these nodes to do
>     Bora> IKE, I think we would opening ourselves up for more 
> problems.
> 
>   IKE in aggressive mode has that property.
>   That's why smart people don't use that.
> 


_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec