Re: [RPSEC] rate limiting management traffic, redux

[Stephen Kent <kent@bbn.com>]

At 7:46 PM +0200 4/19/03, Iljitsch van Beijnum wrote:
> ...
>
> > > Currently IPsec ESP supports authentication and encryption, maybe 
> > > this could be an additional IPsec service?
> > ESP mandates support for confidentiality plus integrity, or 
> > integrity only, or confidentiality only. Since the IPsec WG is 
> > trying to simplify the range of options, we're dropping mandatory 
> > support for confidentiality only. I don't see it as likely that we 
> > would add an "authentication tag not tied to the payload" option.
> Does it make sense to reinvent the wheel here? Especially as we can 
> at least reuse the anti-replay counter and possibly borrow some 
> space from the initialization vector to store the tag. Obviously 
> this mechanism would be entirely optional.
Well, having invented this particular wheel, I am comfortable saying 
that the sequence number and windowing mechanisms should be reused, 
but nothing else :-)
We're not really reinventing here; we're reusing that mechanism.

More seriously, the focus of this proposal is a rate limiting 
authentication mechanism, and that is not very closely aligned with 
the security services that IPsec offers. So I do not think it likely 
that we will add this sort of facility, even as an option, to AH or 
ESP (said the editor of those documents).

Finally, the really hard problem we face is the (re)initialization 
protocol. This is a difficult problem to solve, since we want to 
minimize the opportunity for DoS attacks at both ends (so that we can 
use this between routers, not just between a management station and a 
router), to a greater extent that existing protocols like IKE (v2).

Steve
_______________________________________________
RPSEC mailing list
RPSEC@ietf.org
https://www1.ietf.org/mailman/listinfo/rpsec