ipsec November 2007 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: Re: [IPsec] IKEv2 - possible attack from legitimate node(

Re: [IPsec] IKEv2 - possible attack from legitimate node(s)?

From: Yoav Nir <ynir_at_nospam>
Date: Thu Nov 29 2007 - 07:32:51 GMT
To: "Hisyam F." <f_hisyam@yahoo.co.uk>, ipsec@ietf.org


The cookie mechanism is far from useless. Given a fixed amount of "attacking resources", you can mount a far greater volume of spoofed- IP attacks than you can legitimate IP address attacks. Enforcing a return IP address also makes features like "only 3 half-open SAs from a single IP address" more feasible.

I think hash cookies are the best way to get something that scales well enough to defeat DDoS attacks.

On Nov 29, 2007, at 12:54 AM, Hisyam F. wrote:

> Hi Yoav,
>
> Thanks for the reply. Since the attack from legitimate node(s) is
> feasible, I agree on your statement that each individual (recepient)
> should implements defensive mechanism against such attack.
>
> Nevertheless, I would like to ask your opinion regarding the IKEv2
> message exchange. As stated in your previous reply, there were
> several works have been done in combating DoS i.e., HASH cookie
> mechanism etc. It seems that in order to defeat DoS attack, each
> technique in literature suggests the initiator to authenticate him/
> herself (prove the identity) to the respective responder by
> returning the correct cookie. However, I think that this
> verification method is efficient to certain degrees subject to the
> assumption that an attack is mounted from malicious attacker with
> spoofed ID. Since this is not applicable to DDoS as each nodes can
> have legitimate ID, does it means it is impossible (I hope not) for
> us to propose a better approach for IKEv2?
>
> ----- Original Message ----
> From: Yoav Nir <ynir@checkpoint.com>
> To: Hisyam F. <f_hisyam@yahoo.co.uk>; ipsec@ietf.org
> Sent: Thursday, 29 November, 2007 12:53:14 AM
> Subject: Re: [IPsec] IKEv2 - possible attack from legitimate node(s)?
>
> Hi Hisyam.
>
> An attack like this is very feasible, and the IKEv2 protocol does
> not have any protection against it. Individual implementations could
> have some protections, such as limiting the amount of half-open SAs
> from a particular IP address, or limiting the amount of IKE SAs from
> a particular peer.
>
> Years ago, there were some proposals for securing against a DoS
> attack by, for example replacing the cookie with a hash of the
> cookie and a partial pre-image (say, all the cookie save the last 32
> bits). This would force the client to brute-force the cookie
> (taking on average 2^31 hash operations), by levying a 1-CPU-second
> "tax" on each connecting client. This proposal died, I think
> because of all kinds of patents surrounding such technology.
>
>
> On Nov 27, 2007, at 6:07 AM, Hisyam F. wrote:
>
>> Hi,
>>
>> I'm relatively new to IPsec. I would like to ask regarding the DoS
>> protection in IPsec. Based on the IKEv2 standard, there is an anti-
>> clogging mechanism via "cookie" notification in Notify payload
>> which prevent DoS attack on message echange (i.e.,phase 1). It
>> seems that the DoS attack is assumed to have or mounted from spoof
>> IP address.
>>
>> In that sense, I would like to know whether IPsec (especially the
>> IKEv2) contains any protection from legitimate node(s) (as an
>> example DDoS)? In addition, is this type of attack feasible on IKEv2?
>>
>> Thanks.
>>
>> For ideas on reducing your carbon footprint visit Yahoo! For Good
>> this month.
>>
>> Scanned by Check Point Total Security Gateway.
>>
>> _______________________________________________
>> IPsec mailing list
>> IPsec@ietf.org
>> https://www1.ietf.org/mailman/listinfo/ipsec
>
>
>
> For ideas on reducing your carbon footprint visit Yahoo! For Good
> this month.
>
> Scanned by Check Point Total Security Gateway.
>



IPsec mailing list
IPsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec