[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: KINK user-user scenario

To: Jonathan Trostle <jtrostle@xxxxxxxxx>
Subject: Re: KINK user-user scenario
From: Michael Thomas <mat@xxxxxxxxx>
Date: Thu, 18 Jan 2001 16:36:46 -0800 (PST)
Cc: Derek Atkins <warlord@xxxxxxx>, smedvinsky@xxxxxx, ietf-kink@xxxxxxxx
In-reply-to: <>
List-archive: <http://www.vpnc.org/ietf-kink/mail-archive/>
List-id: <ietf-kink.vpnc.org>
List-unsubscribe: <mailto:ietf-kink-request@vpnc.org?body=unsubscribe>
References: <Jonathan Trostle's message of "Thu, 18 Jan 2001 10:41:53 -0800"> <Jonathan Trostle's message of "Wed, 17 Jan 2001 14:05:47 -0800"> <Jonathan Trostle's message of "Tue, 16 Jan 2001 15:35:47 -0800"> <Jonathan Trostle's message of "Mon, 15 Jan 2001 21:51:11 -0800"> <> <> <> <> <>
Sender: owner-ietf-kink@xxxxxxxxxxxxx

Jonathan Trostle writes:
 > Kerberos is vulnerable to these types of DoS attacks already. For example,
 > an attacker can create a delegated request targetted at himself with a
 > bogus krb creds inside and then send that out in multiple delegated request
 > to 1000 servers which then try to authenticate to the KDC using the bogus
 > krb creds.
 > 
 > I'm not convinced we should go to a lot of work to try to prevent these
 > types of attacks, because we will only be able to give some improvement to
 > a few cases instead of all the cases. Some sort of IDS system would
 > probably be needed to handle these types of attacks and might do an equally
 > good job against all of them. 

   As currently instantiated in draft-ietf-kink-kink-00, this
   DoS attack does not exist. Adding some sort of wakeup 
   mechanism explicitly allows the attack. 

   I'd say that these proposals go out their way to *allow*
   the attack. That to my mind is bogus.

		Mike

References:
- KINK user-user scenario
  - From: Jonathan Trostle
- Re: KINK user-user scenario
  - From: Jonathan Trostle
- Re: KINK user-user scenario
  - From: Jonathan Trostle
- Re: KINK user-user scenario
  - From: Jonathan Trostle
- Re: KINK user-user scenario
  - From: Jonathan Trostle

Prev by Date: RE: KINK user-user scenario
Next by Date: Re: My comments on the KINK Requirements
Previous by thread: Re: KINK user-user scenario
Next by thread: RE: KINK user-user scenario
Index(es):
- Date
- Thread