Re: On a hybrid authentication mode for IKE

Tamir Zegman <zegman@checkpoint.com> Sun, 27 June 1999 17:23 UTC

Message-ID: <37764310.B3C3E27@checkpoint.com>
Date: Sun, 27 Jun 1999 18:28:16 +0300
From: Tamir Zegman <zegman@checkpoint.com>
Organization: Check Point
MIME-Version: 1.0
To: Kanta Matsuura <kanta@hideki.iis.u-tokyo.ac.jp>
CC: ipsec@lists.tislabs.com
Subject: Re: On a hybrid authentication mode for IKE
References: <9906250320.AA02014@Ichiko.imailab.iis.u-tokyo.ac.jp>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk


Kanta Matsuura wrote:

> Dear friends,
> I'd like to make a comment on
> draft-ietf-ipsec-isakmp-hybrid-auth-02.txt
> (A Hybrid Authentication Mode for IKE).
> In the 6th section, the document says that
> protection against DoS is not provided.
> My comment is that, since the Hybrid Authentication Mode
> uses Signature Mode of IKE first,
> a modified mode of it (draft-matsuura-sign-mode-00.txt)
> would be a better solution.
> The idea is the use of intermediate random fresh value
> as an additional input to the HASH payload in the ack message
> from the client; if the client (maybe a DoS attacker) does not
> follow the protocol (i.e. skip the verification of the responder's
> signature), he/she cannot produce the correct HASH, which is
> efficiently (<-- hashing is inexpensive computation)
>  detected by the responder.
>
> Thanks,
>

The paragraph you mentioned talked about a different DoS attack -
an attack that causes the the user account to be revoked on the RADIUS
server.
Your paper, if I understand correctly, talks about preventing DoS
attacks during Phase1.

On a hybrid authentication mode for IKE Kanta Matsuura
Re: On a hybrid authentication mode for IKE Tamir Zegman
Re: On a hybrid authentication mode for IKE Kanta Matsuura