[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ipsec] new internet draftt - draft-touch-anonsec

To: "Bora Akyol" <bora@cisco.com>
Subject: Re: [Ipsec] new internet draftt - draft-touch-anonsec
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Fri, 07 May 2004 14:43:36 -0400
Cc: "'Joe Touch'" <touch@ISI.EDU>, "'ipsec mailingList'" <ipsec@lists.tislabs.com>
In-reply-to: Message from "Bora Akyol" <bora@cisco.com> of "Fri, 07 May 2004 11:29:42 PDT." <004c01c43461$442a6e40$050a0a0a@amer.cisco.com>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <004c01c43461$442a6e40$050a0a0a@amer.cisco.com>
Sender: ipsec-admin@ietf.org

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Bora" == Bora Akyol <bora@cisco.com> writes:
    Bora> 1) MM has its own issues coupled with the fact that it takes 6 messages
    Bora> to get anything done. What's next, a MM exchange for each DNS
    Bora> request.

  a) we've done that, and it isn't as bad as you might think.
     There is a bootstrap issue if you are getting keys from DNS.

  b) MM for each new TCP connection that a router does isn't really that
     much of a deal. Routers do not talk TCP to many systems.

    Bora> 2) If the DOS attacks are coming from machines that are "owned" MM
    Bora> has very similar properties to aggressive mode.

  That's true.
  But, that's why IKE implementations needs to manage themselves very
carefully.  The point is to take all of our knowledge about how to
defend against DDoS attacks and put it into one place so that we don't
have to keep putting this into every protocol.

    Bora> 3) IKE for the purpose of off-path transport layer attacks is 
    Bora> like using a jack hammer to drive a thin nail on a picture
    Bora> frame.

  Defending against such attacks will become more and more important.

    Bora> 4) The proposed approach which is really equivalent to a pre-shared key
    Bora> that is hard coded into every IKE implementation opens us up for even
    Bora> more issues.

  Yes, I agree. I'm not crazy about Joe's approach either.
  I know we can do better, because we have already done better.

- --
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr@xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQJvY14qHRg3pndX9AQFS3AP/TNYkL3V29314NflAYgddW8/RRscIhdaC
b0UA0ZDlWOxMcOVjfHHoqXGCuOvbS/dcHTMVrMJOeBY1mtNY1Lai0pZy6ft6bU9q
U+e5P652kw6TFif6jbk0PlEyel2Mc5cPrvmo+FmK6EPSF4+oRjj1KF9XIlp12rZH
qaWR94fU3L4=
=SIMz
-----END PGP SIGNATURE-----

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

Follow-Ups:
- Re: [Ipsec] new internet draftt - draft-touch-anonsec
  - From: Joe Touch <touch@ISI.EDU>

References:
- RE: [Ipsec] new internet draftt - draft-touch-anonsec
  - From: "Bora Akyol" <bora@cisco.com>

Prev by Date: RE: [Ipsec] new internet draftt - draft-touch-anonsec
Next by Date: [Ipsec] Re: 2401bis -- Issue 91 -- handling ICMP error messages
Previous by thread: RE: [Ipsec] new internet draftt - draft-touch-anonsec
Next by thread: Re: [Ipsec] new internet draftt - draft-touch-anonsec
Index(es):
- Date
- Thread