Re: resistance to swamping attacks.
touch@isi.edu Fri, 20 September 1996 20:47 UTC
Received: from relay.hq.tis.com by neptune.TIS.COM id aa29896; 20 Sep 96 16:47 EDT
Received: by relay.hq.tis.com; id QAA20877; Fri, 20 Sep 1996 16:50:55 -0400
From: touch@isi.edu
MMDF-Warning: Parse error in original version of preceding line at neptune.TIS.COM
Received: from sol.hq.tis.com(10.33.1.100) by relay.tis.com via smap (V3.1.1) id xma020875; Fri, 20 Sep 96 16:50:27 -0400
Received: from relay.hq.tis.com by tis.com (4.1/SUN-5.64) id AA04265; Fri, 20 Sep 96 16:49:37 EDT
Received: by relay.hq.tis.com; id QAA20868; Fri, 20 Sep 1996 16:50:25 -0400
Received: from zephyr.isi.edu(128.9.160.160) by relay.tis.com via smap (V3.1.1) id xma020862; Fri, 20 Sep 96 16:50:10 -0400
Received: from ash.isi.edu (ash-a.isi.edu) by zephyr.isi.edu (5.65c/5.61+local-23) id <AA19877>; Fri, 20 Sep 1996 13:52:32 -0700
Date: Fri, 20 Sep 1996 13:52:17 -0700
Posted-Date: Fri, 20 Sep 1996 13:52:17 -0700
Message-Id: <199609202052.AA02432@ash.isi.edu>
Received: by ash.isi.edu (5.65c/4.0.3-6) id <AA02432>; Fri, 20 Sep 1996 13:52:17 -0700
To: touch@isi.edu, smb@research.att.com
Subject: Re: resistance to swamping attacks.
Cc: sommerfeld@apollo.hp.com, kim@morningstar.com, ipsec@TIS.COM
X-Auto-Sig-Adder-By: faber@isi.edu
Sender: ipsec-approval@neptune.tis.com
Precedence: bulk
> From: Steven Bellovin <smb@research.att.com> > > > From touch@isi.edu > > But then you're authenicating the signature, but not the packet > itself, no? > > In that case, I can replay a signed connection-establishment request > with random source addrs. > > Depends on what you sign. In my note, I said ``in principle''.... > From touch@ISI.EDU Fri Sep 20 12:32:53 1996 > From: touch@ISI.EDU > > So, it might be the case that, in order to avoid swamping attacks, > we need two kinds of authentication: > > - whole packet (to keep converstations secure) > > - header only (for fast processing to check for > swamping) > > If so, do we need another kind of header? > (IP-AH specs only the first) Except that, as a colleague here pointed out, checking authentication of SYNs costs much more than keeping the half-open connection block. That's the argument for *not* needing a header-only authenticator. Joe ---------------------------------------------------------------------- Joe Touch - touch@isi.edu http://www.isi.edu/~touch/ ISI / Project Leader, ATOMIC-2, LSAM http://www.isi.edu/atomic2/ USC / Research Assistant Prof. http://www.isi.edu/lsam/
- resistance to swamping attacks. Bill Sommerfeld
- Re: resistance to swamping attacks. Kim L. Toms
- Re: resistance to swamping attacks. Robert Moskowitz
- Re: resistance to swamping attacks. Matt Crawford
- Re: resistance to swamping attacks. Bill Sommerfeld
- Re: resistance to swamping attacks. Bill Sommerfeld
- Re: resistance to swamping attacks. touch
- Re: resistance to swamping attacks. Bill Sommerfeld
- Re: resistance to swamping attacks. Bill Sommerfeld
- Re: resistance to swamping attacks. touch
- Re: resistance to swamping attacks. Bill Sommerfeld
- Re: resistance to swamping attacks. touch
- Re: resistance to swamping attacks. Germano Caronni
- Re: resistance to swamping attacks. touch
- Re: resistance to swamping attacks. Germano Caronni