Future ISAKMP Denial of Service Vulnerablity Needs Addressing (fwd)

Tina Bird tbird at PRECISION-GUESSWORK.COM
Mon Jan 31 14:17:58 EST 2000


"Doubt is an uncomfortable situation, but certainty is an
absurd one." -- Voltaire

---------- Forwarded message ----------
Date: Sun, 30 Jan 100 14:51:28 -0500 (EST)
From: Mr. Anderson <neo at silkroad.com>
To: ipsec at lists.tislabs.com
Subject: Future ISAKMP Denial of Service Vulnerablity Needs Addressing


WG Members:

We are hearing more and more concerns in the enterprise community
that ISAKMP will be vulnerable to UDP denial of service attacks
in the future.  This is a widely known and serious flaw, IMHO.

----------------------------------------------------------
FYI Review of RFC 2408: ISAKMP
----------------------------------------------------------

2.5.1 Transport Protocol

ISAKMP can be implemented over any transport protocol or over IP
itself.  Implementations MUST include send and receive capability for
ISAKMP using the User Datagram Protocol (UDP) on port 500.
----------------------------------------------------------

The specification above means that most vendors who read this
will build ISAKMP on 500/UDP; which means that any malicious
person with a clue as to how UDP DoS attacks can be done will
be able to create chaos with the ISAKMP process during SA
setup, etc.

Vendors with a clue will build an alternate mechanism which allows
ISAKMP to play using a more robust transport mechanism, at least
TCP based, which raises the bar against simple UDP DoS attacks.

I suggest the ISAKMP RFC address this vulnerability more directly because
IPSEC and ISAKMP security issues such as this could be treated more
openly in the RFC, perhaps even an ISAKMP protocol risk-analysis should be
documented in the IETF process.

Finest Regards,
Neo

VPN is sponsored by SecurityFocus.COM




More information about the VPN mailing list