[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Reminder: last call for PIC in the IPSRA WG

To: "'Markus Stenberg'" <mstenber@xxxxxxx>, <ietf-ipsra@xxxxxxxx>
Subject: RE: Reminder: last call for PIC in the IPSRA WG
From: "Andrew Krywaniuk" <andrew.krywaniuk@xxxxxxxxxxx>
Date: Mon, 1 Oct 2001 19:30:24 -0400
Importance: Normal
In-reply-to: <>
List-archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-id: <ietf-ipsra.vpnc.org>
List-unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Reply-to: <andrew.krywaniuk@xxxxxxxxxxx>
Sender: owner-ietf-ipsra@xxxxxxxxxxxxx

In terms of the DoS potential of the Internet, I think we've only seen the
tip of the iceberg. It's definitely better to have some kind of cookie
exchange. I believe William brought up the lack of DoS protection at the
IETF meeting, along with a question about the hash calculation.

I also wonder about the hash calculation. When Hugo was asked why we're not
using the revised hash in PIC, he replied that the situation that motivated
the development of revised hash in IKE doesn't exist in PIC. I guess that's
true (PIC says you can't include notify or vendor id payloads until after
the first hash has been sent), but I still wonder what's the point? Is there
any advantage to the particular hash calcuation that is described in PIC?

Andrew
-------------------------------------------
Upon closer inspection, I saw that the line
dividing black from white was in fact a shade
of grey. As I drew nearer still, the grey area
grew larger. And then I was enlightened.


> -----Original Message-----
> From: owner-ietf-ipsra@xxxxxxxxxxxxx
> [mailto:owner-ietf-ipsra@xxxxxxxxxxxxx]On Behalf Of Markus Stenberg
> Sent: Monday, September 17, 2001 8:35 AM
> To: ietf-ipsra@xxxxxxxx
> Subject: Re: Reminder: last call for PIC in the IPSRA WG
>
>
>
> paul.hoffman@xxxxxxxx (Paul Hoffman / VPNC) writes:
> > Hi again. Just a reminder that we are in the middle of the PIC last
> > call in the IPSRA WG. The last call ends at the end of September
> > unless significant changes are needed to the spec.
> >
> > It has been pretty quiet here, and maybe that is good.
>
> I was also on vacation (four weeks :>), which delayed
> somewhat this mail. I
> didn't want to start discussion while people were still in
> Finland in the
> VPN workshop, and I regrettably had to leave workshop's
> summary session
> before I could poll it locally.
>
> I still personally feel that with the discussion about s-o-IKE, and
> _especially_ the discussions regarding aggressive/main(/base)
> mode in IPsec
> WG, it might be bad idea to select aggressive-like approach for PIC.
>
> Why do we want to perform significant work on basis of a packet from a
> source which we haven't even verified exists and really wants
> to talk to
> us?
>
> This could be circumvented (at least) by changing the
> exchange from 3 to 4
> messages and styling it after base mode instead of aggressive mode.
>
> If someone else agrees, feel free to point it out; if it's
> just me, I'll
> go back to my corner :>
>
> > --Paul Hoffman, Director
> > --VPN Consortium
>
> -Markus
>
> --
> Markus Stenberg (stenberg@xxxxxxx) of SSH Communications
> Security (www.ssh.com)
>

Follow-Ups:
- RE: Reminder: last call for PIC in the IPSRA WG
  - From: Hugo Krawczyk

References:
- Re: Reminder: last call for PIC in the IPSRA WG
  - From: Markus Stenberg

Prev by Date: Re: Reminder: last call for PIC in the IPSRA WG
Next by Date: Last Call: PIC, A Pre-IKE Credential Provisioning Protocol to Proposed Standard
Previous by thread: Re: Reminder: last call for PIC in the IPSRA WG
Next by thread: RE: Reminder: last call for PIC in the IPSRA WG
Index(es):
- Date
- Thread