Re: On a hybrid authentication mode for IKE
Tamir Zegman <zegman@checkpoint.com> Sun, 27 June 1999 17:23 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id KAA13275; Sun, 27 Jun 1999 10:23:51 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id LAA00216 Sun, 27 Jun 1999 11:26:13 -0400 (EDT)
Message-ID: <37764310.B3C3E27@checkpoint.com>
Date: Sun, 27 Jun 1999 18:28:16 +0300
From: Tamir Zegman <zegman@checkpoint.com>
Organization: Check Point
X-Mailer: Mozilla 4.6 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Kanta Matsuura <kanta@hideki.iis.u-tokyo.ac.jp>
CC: ipsec@lists.tislabs.com
Subject: Re: On a hybrid authentication mode for IKE
References: <9906250320.AA02014@Ichiko.imailab.iis.u-tokyo.ac.jp>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
Kanta Matsuura wrote: > Dear friends, > I'd like to make a comment on > draft-ietf-ipsec-isakmp-hybrid-auth-02.txt > (A Hybrid Authentication Mode for IKE). > In the 6th section, the document says that > protection against DoS is not provided. > My comment is that, since the Hybrid Authentication Mode > uses Signature Mode of IKE first, > a modified mode of it (draft-matsuura-sign-mode-00.txt) > would be a better solution. > The idea is the use of intermediate random fresh value > as an additional input to the HASH payload in the ack message > from the client; if the client (maybe a DoS attacker) does not > follow the protocol (i.e. skip the verification of the responder's > signature), he/she cannot produce the correct HASH, which is > efficiently (<-- hashing is inexpensive computation) > detected by the responder. > > Thanks, > The paragraph you mentioned talked about a different DoS attack - an attack that causes the the user account to be revoked on the RADIUS server. Your paper, if I understand correctly, talks about preventing DoS attacks during Phase1.
- On a hybrid authentication mode for IKE Kanta Matsuura
- Re: On a hybrid authentication mode for IKE Tamir Zegman
- Re: On a hybrid authentication mode for IKE Kanta Matsuura