|Main Archive Page > Month Archives > ipsec archives|
An attack like this is very feasible, and the IKEv2 protocol does not have any protection against it. Individual implementations could have some protections, such as limiting the amount of half-open SAs from a particular IP address, or limiting the amount of IKE SAs from a particular peer.
Years ago, there were some proposals for securing against a DoS attack by, for example replacing the cookie with a hash of the cookie and a partial pre-image (say, all the cookie save the last 32 bits). This would force the client to brute-force the cookie (taking on average 2^31 hash operations), by levying a 1-CPU-second "tax" on each connecting client. This proposal died, I think because of all kinds of patents surrounding such technology.
On Nov 27, 2007, at 6:07 AM, Hisyam F. wrote:
> I'm relatively new to IPsec. I would like to ask regarding the DoS
> protection in IPsec. Based on the IKEv2 standard, there is an anti-
> clogging mechanism via "cookie" notification in Notify payload which
> prevent DoS attack on message echange (i.e.,phase 1). It seems that
> the DoS attack is assumed to have or mounted from spoof IP address.
> In that sense, I would like to know whether IPsec (especially the
> IKEv2) contains any protection from legitimate node(s) (as an
> example DDoS)? In addition, is this type of attack feasible on IKEv2?
> For ideas on reducing your carbon footprint visit Yahoo! For Good
> this month.
> Scanned by Check Point Total Security Gateway.
> IPsec mailing list