On Mar 13, 2013, at 10:06 AM, Valery Smyslov <sva...@gmail.com> wrote:
> Hi Yaron, > >> I believe the DoS argument is incorrect, because the message we are most >> worried about (most likely to get fragmented) is IKE_AUTH, and at this point >> both peers are not yet authenticated, of course. So fragments and messages >> can be encrypted but cannot be authenticated. Thus, an attacker can send any >> number of seemingly valid fragments. >> >> Let me know if I'm missing anything. > > I agree that term "authenticated" is a bit misleading here. > The better term would be "integrity protected". > In our proposal receiver can be absolutely sure that > each fragment comes from the very peer he/she exchanged > DH exponents and calculated shared secret with. > > All fragments which ICV cannot be verified are discarded > and don't prevent communication with real peer in any way. So in order to get the responder to spend memory resources on storing the fragment, the initiator needs to expand CPU resources on completing the D-H calculation, and calculating integrity protection on the fragment. Makes sense. What do you get when you put together the fragments? a decrypted IKE message? Just the list of payloads? Yoav _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
