Hi again,
another issue that is added to the tracker - whether to use
puzzles for protection against nefarious IKE peers after
IKE SA is established.
My opinion - using puzzles after IKE SA is established
is possible, but is not justified. It would significantly
complicate IKE state machine (I presume that the initiator
would have to be able to restart any exchange if it received
puzzle). On the other hand, after the IKE SA is established
the host has various means to deal with nefarious peer.
Some of them are listed in the draft, such as TEMPORARY_FAILURE and
NO_ADDITIONAL_SAS notifications, artificial delays,
limiting IKE window size to 1 etc.
Regards,
Valery.
#230: Use puzzles for DoS protection within an IKE SA
Earlier versions of the draft did not cover DoS by an authenticated
client. With the approval of NULL-auth, the fact that a peer has a valid
IKE SA is less of an indication that it is not an attacker.
At IETF 92 the question was asked if we wanted to use puzzles within
encrypted IKE, so that a peer with an IKE SA is not able to needlessly
rekey a child SA (with PFS), flood the responder with liveness checks, or
do other kinds of nefarious IKE.
--
-------------------------+-------------------------------------------------
Reporter: | Owner: draft-ietf-ipsecme-ddos-
ynir.i...@gmail.com | protect...@tools.ietf.org
Type: enhancement | Status: new
Priority: normal | Milestone:
Component: ddos- | Severity: Active WG Document
protection |
Keywords: |
-------------------------+-------------------------------------------------
Ticket URL: <http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/230>
ipsecme <http://tools.ietf.org/ipsecme/>
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
