ipsec November 2007 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: Re: [IPsec] IKEv2 - possible attack from legitimate node(

Re: [IPsec] IKEv2 - possible attack from legitimate node(s)?

From: Yoav Nir <ynir_at_nospam>
Date: Wed Nov 28 2007 - 13:53:14 GMT
To: "Hisyam F." <f_hisyam@yahoo.co.uk>, ipsec@ietf.org

Hi Hisyam.

An attack like this is very feasible, and the IKEv2 protocol does not have any protection against it. Individual implementations could have some protections, such as limiting the amount of half-open SAs from a particular IP address, or limiting the amount of IKE SAs from a particular peer.

Years ago, there were some proposals for securing against a DoS attack by, for example replacing the cookie with a hash of the cookie and a partial pre-image (say, all the cookie save the last 32 bits). This would force the client to brute-force the cookie (taking on average 2^31 hash operations), by levying a 1-CPU-second "tax" on each connecting client. This proposal died, I think because of all kinds of patents surrounding such technology.

On Nov 27, 2007, at 6:07 AM, Hisyam F. wrote:

> Hi,
> I'm relatively new to IPsec. I would like to ask regarding the DoS
> protection in IPsec. Based on the IKEv2 standard, there is an anti-
> clogging mechanism via "cookie" notification in Notify payload which
> prevent DoS attack on message echange (i.e.,phase 1). It seems that
> the DoS attack is assumed to have or mounted from spoof IP address.
> In that sense, I would like to know whether IPsec (especially the
> IKEv2) contains any protection from legitimate node(s) (as an
> example DDoS)? In addition, is this type of attack feasible on IKEv2?
> Thanks.
> For ideas on reducing your carbon footprint visit Yahoo! For Good
> this month.
> Scanned by Check Point Total Security Gateway.
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www1.ietf.org/mailman/listinfo/ipsec

IPsec mailing list