[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Ipsec] Saving of one exchange in case of DOS attack

To: "'khan wadood'" <a_wadood_k@yahoo.co.in>, <ipsec@ietf.org>
Subject: RE: [Ipsec] Saving of one exchange in case of DOS attack
From: "Yoav Nir" <ynir@checkpoint.com>
Date: Tue, 24 Aug 2004 12:45:12 +0300
Cc: charliek@microsoft.com, paul.hoffman@vpnc.org, kivinen@iki.fi
In-reply-to: <20040824081241.17663.qmail@web8203.mail.in.yahoo.com>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
Organization: Check Point
Sender: ipsec-bounces@ietf.org
Thread-index: AcSJuh3Ly91sCJbYQgmj/kqQPhIfNwABFhsg

In your proposal, the message in packet #3 is encrypted. If Responder does not keep any state, it won't be able to decrypt this message. Add to that the fact that after message #2 Responder already did the heavy lifting (the DH calculation), you get no benefit.

The point of the stateless cookie is that with very simple calculations and no kept state, the Responder can verify that the Initiator can get packets

From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] On Behalf Of khan wadood
Sent: Tuesday, August 24, 2004 11:13 AM
To: ipsec@ietf.org
Cc: ynir@netvision.net.il; charliek@microsoft.com; paul.hoffman@vpnc.org; kivinen@iki.fi
Subject: [Ipsec] Saving of one exchange in case of DOS attack

<snip>

QUESTION:

My point of view is that why not we do in this way

In this case, Alice will not send her IKE_SPI value to Bob in message#1, instead Bob will send his IKE_SPI value (acts as Cookie) to Alice in message#2.

Bob will not commit any state until Alice sends her IKE_SPI value and Bob’s IKE_SPI value (acts as cookie) to Bob in message#3 (i.e., first message of second exchange).

ADVANTAGES:

1- We can save cost/time for one extra exchange.

2- IKE_SPI and Cookie both can be random values, we can get benefit of using Cookie as IKE_SPI or IKE_SPI as Cookie.

Initiator Responder

----------- p; -----------

HDR(0,0), SAi1, KEi, Ni -->

<-- HDR(0,B), SAr1, KEr, Nr, [CERTREQ]

HDR(A,B), SK {IDi, [CERT,] [CERTREQ,] [IDr,]

AUTH, SAi2, TSi, TSr} -->

<-- HDR(A,B), SK {IDr, [CERT,] AUTH,

SAr2, TSi, TSr}

Where:

A = Initiator’s SPI

B = Responder’s SPI

Any comments will be highly appreciated.

Thanks in advance.

wadood

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

References:
- [Ipsec] Saving of one exchange in case of DOS attack
  - From: khan wadood <a_wadood_k@yahoo.co.in>

Prev by Date: [Ipsec] Saving of one exchange in case of DOS attack
Next by Date: Re: [Ipsec] RE: OCSP in IKEv2
Previous by thread: [Ipsec] Saving of one exchange in case of DOS attack
Next by thread: [Ipsec] test
Index(es):
- Date
- Thread