Hi Last night I noticed the following,
https://community.akamai.com/docs/DOC-5289 It talks of various results when using a single packet to generate an amplification attack. (well worth a read..) As we discussed last week, all implementations that send multiple replies to a single SA_INIT would be broken in some form. Because of the impact of this (and these shocking results), I¹d like to add the following words to the security considerations around retransmissions with respect to amplification attacks using SA_INIT / IKE_AUTH; "As described in RFC7296 Use of Retransmission Timers. For every pair of message it is the responsibility of the initiator to retransmit should a message be lost. A responder MUST only send a single reply to an SA_INIT or IKE_AUTH message and MUST never engage the retransmission mechanism, even if a reply is not received. This mitigates the chances that a response will become a victim of an amplification attack where a single packet is used to generate multiple replies." Thoughts? cheers On 06/03/2016 17:09, "Yoav Nir" <ynir.i...@gmail.com> wrote: >IMHO even in that case this is not an interesting attack. We should be >worried about amplification attacks where little traffic causes a lot of >traffic, not a case where I send a 200-byte packet which results in a >250-byte packet, and not even a 5 250-byte packets. Sending a request and >directing a server to send an entire movie in 4K quality using RTP in an >interesting amplification attack. Using a 10-Mbps uplink to generate >12-Mbps of traffic is not. > >Yoav
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec