On 4/20/2009 11:50 PM, Paul Hoffman wrote:
At 11:15 PM +0530 4/20/09, Lakshminath Dondeti wrote:
Before the one roundtrip mechanism is deleted, could you summarize
how the security issue that was raised is applicable under the
threat model we work with?

No, I can summarize it after it is deleted, given that I deleted it
in my last message.

The security issues that Pasi sent to the mailing list over a month
ago include:

- A replay of a ticket can cause exhaustion of many resources, not
just CPU or state on the gateway. Pasi listed these about a month
ago.

That was some interesting logic based on a fictional deployment. Are we to optimize specifically for Pasi's vision of deploying networks?


- A replay of a ticket can cause a legitimate resumption to fail,
depending on the algorithms used in the IKE SA.

This is unrelated to your, um, interesting logic about RFC 3552. The
WG can decide its threat models as it sees fit.

Huh, and presumably without ever documenting such a threat model!


The IKEv2 RFC really defines what is in scope.  Server state
exhaustion attacks are not in scope for being mandatorily made
"more difficult" for some definition of more.

I don't see anything in RFC 4306 that limits the scope of the threat
models for extensions.

So, are you suggesting that we design IKEv2 for one threat model and IKEv2 session resumption for another?

regards,
Lakshminath


--Paul Hoffman, Director --VPN Consortium
_______________________________________________ IPsec mailing list
IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to