Date: Thu, 16 Dec 1999 00:54:29 +0000 (GMT) From: Terry Lambert <tlambert@primenet.com> To: jeroen@vangelderen.org (Jeroen C. van Gelderen) Cc: tlambert@primenet.com, jmb@hub.freebsd.org, ragnar@sysabend.org, brett@lariat.org, dscheidt@enteract.com, noslenj@swbell.net, chat@FreeBSD.ORG Subject: Re: dual 400 -> dual 600 worth it? Message-ID: <199912160054.RAA28607@usr09.primenet.com> In-Reply-To: <38582ED0.7F5D15E1@vangelderen.org> from "Jeroen C. van Gelderen" at Dec 15, 99 08:14:08 pm
next in thread | previous in thread | raw e-mail | index | archive | help
> > > > > > Now if only IKE/ISAKMP weren't based on clipper chip technology.. > > > > > > It's said to see someone like you issue such a FUDish statement. IKE > > > may have it's problems but this has nothing to do with it's 'Clipper > > > heritage'. > > > > ";login:" is read by a hell of a lot more people than my > > posts to "chat". > > What's your point? That my post informs about the ";login:" article, and, having a smaller circulation, should be taken as a call for indignant people such as yourself, rather than a direct FUD supposedly by me. > > The ";login:" article identifies many attacks against IKE/ISAKMP, > > and provides source code for one of them. > > This still has nothing to do with it's 'Clipper heritage' as you > originally implied[1]. I don't understand how you can make this bald a statement; the problems with Fortezza based systems are that the underlying state machine sucks. Why is it when knee-jerk reactionaries see "Clipper", they automatically think I'm talking about back doors, rather than the quality of the technology? > > The ";login:" document, or the IKE/ISAKMP document? > > The ";login:" document. The part you quoted doesn't tell us that > the problems stem from any 'Clipper heritage', so quote the > relevant part. A great many of the problematic specifications are due to the IKE/ISAKMP framework. This is not surprising, since the early drafts used ASN.1 and were fairly clearly ISO-inspired. The observations of another ISO implementor (and security analyst) appear applicable: The specification was so general, and left so many choices, that it was necessary to hold "implementor workshops" to agree on what subsets to build and what choices to make. The specification wasn't a specification of a protocol. Instead it was a framework in which a protocol could be designed and implemented. [Folklore-00] The IKE/ISAKMP framework relies on a "Domain of Interpretation" (DOI) for the actual details. IKE/ISAKMP has required numerous implementation workshops to reach agreement on the interpretations of the spcifications. Implementation and testing has already taken several years. In any case, if you want to read more, you can always get a copy of the December ";login:" from any technical library, instead of having me type it in for you. > > > > It's interesting that OpenBSD has implemented IKE/ISAKMP already. > > > > > > What are you trying to say? > > > > That perhaps they would have something useful to say on the > > subject. > > Can't get less FUD^H^H^Huseful, so I agree. I meant that I would be interested in how they answer Mr. Simpson's objections. All of them, not just the Fortezza based ones. He outlines a number of vulnerabilities: o Cookie crumb attack o Cookie Jar Attack o Cookie race attack o Agressive denial of service o Cookie deficiency o Revealed identities o Futile filters o Quick denial of service and provides source code for the "Cookie crumbs" exploit. I would be very interested in how people are going to defend an IKE/ISAKMP system against this exploit. The code runs on FreeBSD. The author can be reached at: <wsimpson@greendragon.com> if you want to obtain source code. Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199912160054.RAA28607>