Re: Future ISAKMP Denial of Service Vulnerablity Needs Addressing

[Michael Richardson <mcr@solidum.com>]

>>>>> "Anderson" == Anderson  <neo@silkroad.com> writes:
    Anderson> WG Members:

    Anderson> We are hearing more and more concerns in the enterprise community
    Anderson> that ISAKMP will be vulnerable to UDP denial of service attacks
    Anderson> in the future.  This is a widely known and serious flaw, IMHO.

  Yes, it is widely known. It is not a serious flaw, it is a fact of life.

  Switching to TCP does nothing. If you naively implement ISAKMP on top
of TCP, then you must include TCP SYN spoof protection, which is much more
difficult to deploy and hard to provide different levels of protection for,
say, HTTP servers vs ISAKMP daemons.
  If you look at TCP SYN spoof protection, you'll discover that it involves
the use of cookies as non-predictable sequence numbers, and thus is
identically equivalent to what ISAKMP has.

   :!mcr!:            |  Solidum Systems Corporation, http://www.solidum.com
   Michael Richardson |For a better connected world,where data flows faster<tm>
 Personal: http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html
	mailto:mcr@sandelman.ottawa.on.ca	mailto:mcr@solidum.com

---

Follow-Ups:

• Re: Future ISAKMP Denial of Service Vulnerablity Needs Addressing
• From: "Michael H. Warfield" <mhw@wittsend.com>

References:

• Future ISAKMP Denial of Service Vulnerablity Needs Addressing
• From: "Mr. Anderson" <neo@silkroad.com>

---

• Prev by Date: Re: DOI field in ISAKMP
• Next by Date: Re: Future ISAKMP Denial of Service Vulnerablity Needs Addressing
• Next by thread: No Subject
• Index(es):
  • Main
  • Thread