Re: Recent Attacks

From: Ge' Weijers (ge@progressive-systems.com)
Date: Fri Feb 18 2000 - 16:08:03 PST

Next message: Steven M. Bellovin: "Re: Recent Attacks"

Previous message: Don Kendrick: "Re: Recent Attacks"
Maybe in reply to: hndat_private: "Recent Attacks"
Next in thread: Steven M. Bellovin: "Re: Recent Attacks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Feb 17, 2000 at 01:16:54AM -0800, Philip J. Koenig wrote:
> Seems to me that the packet-authentication aspect of IPv6
> would go a long way toward making sure you can track the
> source of packets too.  

But IKE (IPSEC's key exchange component) has denial-of-service
problems of its own. You can overload an IKE server easily. The
end-result is the same: no Internet dialtone.

Some proposals to mitigate IKE attacks do exist, but they all have
drawbacks.

Ge'

-- 
-
Ge' Weijers                                Voice: (614)326 4600
Progressive Systems, Inc.                    FAX: (614)326 4601
2000 West Henderson Rd. Suite 400, Columbus OH 43220

Next message: Steven M. Bellovin: "Re: Recent Attacks"
Previous message: Don Kendrick: "Re: Recent Attacks"
Maybe in reply to: hndat_private: "Recent Attacks"
Next in thread: Steven M. Bellovin: "Re: Recent Attacks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:05:13 PDT