Menu
▾
▴
Re: [Ipsec-tools-devel] Handling of informative messages
|
From: F. S. <fre...@la...> - 2005-04-28 15:25:45
|
Thursday, April 28, 2005, 6:55:32 AM, you wrote: > Fred, > It's good that these informational messages will be "decrypted" t= o more > understandable form. But I don't get, why we should act on them. To > save few packets which poorly configured pair of hosts exchanges? Can > these packets happen during normal well configured operations? Well, I can imagine a few situations where it would happen, but it's somewhat far-stretched : some sites could restrict access from an IP for a period of time, for instance "closed for maintenance"... We could also have problems with certificate validation if there's a chain of certificates to fetch somewhere, maybe transient errors on the other side, too (hard disk or network error), etc. > If my assumptions are right, then we can think without action (just with = log > what was received). I preferred to act on this information simply for the ease of use. For such a small security risk, I think it's better to have a predictable reaction of the software (all activity stops just after an error message). Now, I understand fully that the risk may not be taken lightly. What about a configuration directive, something like "paranoid_phase1" ? > - if we are under DoS, then log will be filled with false notifications > (do we mark them as comming from not signed packet?), Not strcitly per se, but they can't be signed at the beginning of phase1. But I'll add that information to the log, you're right. > but setup will > work [and this is difference from the case when we act on these not > signed informational messages]; Well, for a DOS to succeed, you need to catch the SPI of the first packet before the right peer responds, and and then send back a forged packet with the corresponding IP, I think. That's a lot of work. Anyway, do we have something to protect racoon against other, more obvious, DOSses ? Something like rate-limiting connections, to avoid a client that tries to establish a few hundreds of connections at once ? (Not that it's a reason for not doing my homework correctly, mind you, but I wonder.) From=20the posts on the mailing list, and from my own experience, I really believe racoon should improve its "user-friendlyness". Right now, it's quite hard to use if you're not deep into the IPSEC RFCs and drafts... That the principal focus of my work with it currently, too. > P.S. Please take my words with extra grain of salt, as only yesterday I > left hospital... Ow. No, don't worry, that's perfectly coherent ! ;) Constructive criticism is exactly what I needed. Fred --=20 You and me We're in this together now None of them can stop us now We will make it through somehow (Nine Inch Nails, You and me If the world should break in two We're in Until the very end of me Until the very end of you This Together) |