On Oct 13, 2014, at 1:04 AM, Graham Bartlett (grbartle) <grbar...@cisco.com>
wrote:
> Hi Yoav
>
> Thanks for the explanation, just for my understanding, why does this
> rate-limiting have to (strictly) rely on the cookie (or puzzle)
> notification? Is it more of the case that it guarantees that the attacker
> is the attacker (prevents blind-spoofing) and as you say limits the
> attacker to using their own IP address?
I think you got it. Without something that guarantees return routability such
as the cookie or the puzzle, an attacker can sent IKE_INIT requests, one from
each and every Internet address, quickly exhausting the half-open SA database.
It doesn’t help to rate-limit if the attacker has a nearly-infinite supply of
source addresses. At least the cookies limit the attacker to the actual size of
her botnet.
> So say our bot would send 5 requests a second and always get to IKE_AUTH
> and transmit a random value attempting to authenticate, it would never
> leave any half open SAs. I presume enabling the cookie notification will
> prevent the bot attempting to masquerade as another legitimate address at
> the same time (where your rate-limiting would help prevent a DOS
> condition). As the attacker would never leave any half-open SA's (as they
> get to IKE_AUTH and then Authentication would fail), so strictly speaking
> the cookie notification might never be employed (if it's enabled to be
> activated when half open SA's are detected) and you could (and should)
> rate-limit without enabling cookies.
The cookie mechanism prevents the blind spoofing, so it’s forcing the attacker
to this kind of attack, where rate-limiting is helping.
> I'm not knocking the cookie-notification (I'm all for it), but I think
> that rate-limiting should occur even if the headend isn't detecting a
> large number of half-open SA’s.
Sure. But as long as we’re not preventing spoofed requests, the attacker can
still use the other strategy.
Yoav
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec