Re: On a hybrid authentication mode for IKE

[Kanta Matsuura <kanta@hideki.iis.u-tokyo.ac.jp>]

Thank you for the reply.
Yes, draft-matsuura-sign-mode-00.txt talks about preventing DoS
attacks during Phase1.
I understand that
the paragraph mentioned a different issue
--- user-revokation problem --- and that
the issue is of the authentication methods your protocol utilizes.
Since authentication methods are different in their strength
against the attack one from another,
I hope your protocol keeps its flexibility
for utilizable authentication methods.

Finally, I'd like to point out that
your document can additionally
mention DoS in Signature Mode of Phase1
with referring draft-matsuura-sign-mode-00.txt
or other (if exists); if we can check
whether the client really verifies the server's signature,
it would improve another DoS resistance of your protocol.

Tamir Zegman <zegman@checkpoint.com> wrote:
>>Kanta Matsuura wrote:
>>...
>>> Dear friends,
>>> I'd like to make a comment on
>>> draft-ietf-ipsec-isakmp-hybrid-auth-02.txt
>>> ...
>>> My comment is that, since the Hybrid Authentication Mode
>>> uses Signature Mode of IKE first,
>>> a modified mode of it (draft-matsuura-sign-mode-00.txt)
>>> would be a better solution.
>>...
>>
>>The paragraph you mentioned talked about a different DoS attack -
>>an attack that causes the the user account to be revoked on the RADIUS
>>server.
>>Your paper, if I understand correctly, talks about preventing DoS
>>attacks during Phase1.

--^^--
Kanta