Paul Wouters writes: > Note that requires an observer that can see your cookies/spi.
Yes. > Which would > mean a local attacker, whom could just as easilly send you nonsense > forged from the remote endpoint - as they are guaranteed to answer > faster. You'd be decrypting thousands of packets to find the needle in > the haystack. I wonder what the chances then are that you don't end up > dropping teh valid fragment. My PC has more than enough CPU power to verify MAC on the packets coming in over the wireless link. On the other hand if attacker fills the wireless link with junk packets, it is very easy to find him. If attacker just sends on random packet every 2 seconds, it is much harder to pinpoint who and where he is. The idea of DoS protection is to make the attack more expensive for the attacker, and also make detecting him easier. Adding MAC to fragments does both. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
