Re: SOI: identity protection and DOS
Radia Perlman - Boston Center for Networking <Radia.Perlman@sun.com> Tue, 20 November 2001 19:18 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.11.6/8.11.3) with ESMTP id fAKJIg817970; Tue, 20 Nov 2001 11:18:42 -0800 (PST)
Received: by lists.tislabs.com (8.9.1/8.9.1) id NAA13414 Tue, 20 Nov 2001 13:36:29 -0500 (EST)
Message-Id: <200111201845.NAA21833@bcn.East.Sun.COM>
Date: Tue, 20 Nov 2001 13:45:49 -0500
From: Radia Perlman - Boston Center for Networking <Radia.Perlman@sun.com>
Reply-To: Radia Perlman - Boston Center for Networking <Radia.Perlman@sun.com>
Subject: Re: SOI: identity protection and DOS
To: ipsec@lists.tislabs.com
MIME-Version: 1.0
Content-Type: TEXT/plain; charset="us-ascii"
Content-MD5: PUqXyIC4n+0ct7fH0Z+5dQ==
X-Mailer: dtmail 1.3.0 @(#)CDE Version 1.3.5 SunOS 5.7 sun4u sparc
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
Derek said: >>I happen to agree with Radia's point that you should try to protect >>the initiator's identity before the responder's identity (which >>implies the responder should authenticate to the initiator first). Actually, Dan and Charlie changed my mind about that. The problem with the responder revealing identity information first is that ANYONE can initiate an IPsec connection to an IP address and find out who is there without ever divulging their identity. If it's the initiator that reveals identity first then the only threat is from an active attacker impersonating the responder's IP address and lying in wait. (the initiator's ID is hidden from an eavesdropper and revealed only to whatever is sitting at the IP address the initiator connected to). If it's the responder that reveals identity first, then (assuming it's not a strict client/server model where the nodes that need identity protection never respond to IPsec connect initiates and only initiate them) it is trivial to find out who is at an IP address. Radia
- I-D ACTION:draft-ietf-ipsec-son-of-ike-protocol-r… Internet-Drafts
- SOI: preshared Michael Thomas
- SOI: identity protection and DOS Michael Thomas
- SOI: round tripiness Michael Thomas
- Re: SOI: preshared Henry Spencer
- Re: SOI: identity protection and DOS Paul Koning
- Re: SOI: identity protection and DOS Joern Sierwald
- Re: SOI: preshared Michael Thomas
- Re: SOI: preshared Henry Spencer
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: preshared Paul Hoffman / VPNC
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: preshared Michael Thomas
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Ari Huttunen
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Derek Atkins
- Re: SOI: identity protection and DOS david chen
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Radia Perlman - Boston Center for Networking
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Arne Ansper
- Re: SOI: identity protection and DOS Sandy Harris
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Derek Atkins
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Derek Atkins
- Re: SOI: preshared Michael Thomas
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Ari Huttunen
- Re: SOI: preshared DavidChenNH
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Richard Guy Briggs
- Re: SOI: identity protection and DOS david chen
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Hugo Krawczyk
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Paul Hoffman / VPNC
- Re: SOI: identity protection and DOS Steven M. Bellovin
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Sara Bitan
- RE: SOI: identity protection and DOS Andrew Krywaniuk
- RE: SOI: identity protection and DOS Paul Hoffman / VPNC
- On shared keys (was RE: SOI: identity protection … Hugo Krawczyk
- Re: SOI: identity protection and DOS Hugo Krawczyk
- Re: SOI: identity protection and DOS Derek Atkins
- Re: SOI: identity protection and DOS Ari Huttunen
- Re: SOI: identity protection and DOS Alex Alten
- On shared keys (was RE: SOI: identity protection … Michael Thomas
- Re: On shared keys (was RE: SOI: identity protect… Alex Alten
- Re: SOI: identity protection and DOS Hugo Krawczyk
- Re: SOI: identity protection and DOS Hugo Krawczyk
- Re: SOI: identity protection and DOS Michael Thomas
- Re: SOI: identity protection and DOS Derek Atkins
- Re: On shared keys Ricky Charlet
- Re: On shared keys (was RE: SOI: identity protect… Derek Atkins
- Re: On shared keys (was RE: SOI: identity protect… Michael Thomas
- Re: SOI: identity protection and DOS david chen
- Re: SOI: identity protection and DOS david chen
- Re: SOI: identity protection and DOS Steven M. Bellovin
- Re: SOI: identity protection and DOS david chen
- Re: SOI: identity protection and DOS david chen
- Re: SOI: identity protection and DOS Derek Atkins
- Re: SOI: identity protection and DOS Steven M. Bellovin
- RE: On shared keys (was RE: SOI: identity protect… Andrew Krywaniuk
- RE: SOI: identity protection and DOS Andrew Krywaniuk
- Re: SOI: identity protection and DOS Derek Atkins
- Re: SOI: identity protection and DOS david chen
- Re: SOI: identity protection and DOS Richard Guy Briggs
- Re: SOI: identity protection and DOS Arne Ansper
- Re: Gee, shared secrets suck (was: Re: SOI: ident… David Jablon
- Re: SOI: identity protection and DOS Arne Ansper
- Re: SOI: identity protection and DOS Henry Spencer
- Re: SOI: identity protection and DOS Steven M. Bellovin
- Re: SOI: identity protection and DOS Henry Spencer
- RE: SOI: identity protection and DOS Paul Koning
- Gee, shared secrets suck (was: Re: SOI: identity … Joel Snyder
- Re: Gee, shared secrets suck (was: Re: SOI: ident… david chen
- Re: SOI: identity protection and DOS david chen
- Re: SOI: identity protection and DOS david chen
- Re: SOI: identity protection and DOS david chen
- Re: On shared keys Tylor Allison
- Re: SOI: identity protection and DOS david chen
- Re: SOI: identity protection and DOS Paul Koning
- RE: On shared keys (was RE: SOI: identity protect… Alex Alten
- RE: SOI: identity protection and DOS Andrew Krywaniuk
- RE: SOI: identity protection and DOS Hugo Krawczyk
- Re: SOI: identity protection and DOS david chen
- RE: On shared keys (was RE: SOI: identity protect… Dilkie, Lee
- Re: On shared keys (was RE: SOI: identity protect… Derek Atkins
- Re: On shared keys Jari Arkko
- Re: On shared keys (was RE: SOI: identity protect… Alex Alten
- Re: On shared keys (was RE: SOI: identity protect… david chen
- Re: On shared keys (was RE: SOI: identity protect… Derek Atkins
- Re: On shared keys sami.vaarala
- Re: On shared keys (was RE: SOI: identity protect… Paul Koning
- Re: On shared keys Derek Atkins
- Re: On shared keys Henry Spencer
- Re: Gee, shared secrets suck (was: Re: SOI: ident… Arne Ansper
- Re: On shared keys Derek Atkins
- Re: On shared keys Arne Ansper
- RE: On shared keys Wang, Cliff
- Re: On shared keys (was RE: SOI: identity protect… Stephen Kent
- Re: On shared keys Sami Vaarala
- Re: On shared keys Sami Vaarala
- RE: On shared keys (was RE: SOI: identity protect… Alex Alten
- Re: On shared keys Derek Atkins
- Re: On shared keys Sami Vaarala
- Re: On shared keys (was RE: SOI: identity protect… Sandy Harris
- Re: On shared keys (was RE: SOI: identity protect… david chen
- RE: On shared keys (was RE: SOI: identity protect… Khaja E. Ahmed
- RE: On shared keys (was RE: SOI: identity protect… Wang, Cliff
- RE: On shared keys (was RE: SOI: identity protect… Wang, Cliff
- Re: On shared keys (was RE: SOI: identity protect… Derek Atkins
- Re: On shared keys (was RE: SOI: identity protect… Derek Atkins
- RE: On shared keys (was RE: SOI: identity protect… Wang, Cliff
- Re: On shared keys (was RE: SOI: identity protect… Derek Atkins
- RE: On shared keys (was RE: SOI: identity protect… Wang, Cliff
- Re: On shared keys (was RE: SOI: identity protect… david chen
- Re: On shared keys (was RE: SOI: identity protect… Sandy Harris
- RE: On shared keys (was RE: SOI: identity protect… Wang, Cliff
- RE: On shared keys (was RE: SOI: identity protect… Wang, Cliff
- Re: On shared keys (was RE: SOI: identity protect… david chen
- RE: On shared keys (was RE: SOI: identity protect… Wang, Cliff
- Re: On shared keys (was RE: SOI: identity protect… david chen
- RE: On shared keys (was RE: SOI: identity protect… Wang, Cliff
- Re: On shared keys (was RE: SOI: identity protect… david chen
- RE: On shared keys (was RE: SOI: identity protect… Wang, Cliff
- Re: On shared keys (was RE: SOI: identity protect… david chen
- RE: SOI: identity protection and DOS Andrew Krywaniuk
- RE: On shared keys (was RE: SOI: identity protect… Wang, Cliff
- Re: On shared keys (was RE: SOI: identity protect… david chen
- RE: SOI: identity protection and DOS Hugo Krawczyk
- SA look up Jin Zhang
- RE: SA look up Li, Ruicong