[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: proxy AH (was: An architectural draft)

To: Eliot Lear <lear@cisco.com>
Subject: Re: proxy AH (was: An architectural draft)
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Thu, 29 May 2003 01:14:01 +0200
Cc: multi6@ops.ietf.org
In-reply-to: <3ED53F61.8090200@cisco.com>

On donderdag, mei 29, 2003, at 00:59 Europe/Amsterdam, Eliot Lear wrote:

When you say proxy AH do you mean the ISP actually creating the AH or just discarding invalid/bad AHs?

The idea is that the customer gives to its correspondents a key to be used in calculating the authentication header. This key is derived from one of a small set of possible "master keys" combined with the correspondents source address. The master keys are communicated to the ISP (for instance by inserting them in a BGP attribute) so the ISP can calculate the key used for a packet and then check the authentication header. Then packets that don't have an AH or for which the AH check fails are severely rate limited while packets that pass the check can flow freely. When a key is abused the master keys are rotated and the abuser simply doesn't get a new key.

This requires some serious hardware at the ISP side but it should get rid of DoS real good. The main problem is allowing control traffic in order to distribute the keys to the correspondents. Depending on whether we can/want to use unmodified IKE or not this should either be backward compatible or easy to fix, but probably not both.

Follow-Ups:
- Re: proxy AH (was: An architectural draft)
  - From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>

References:
- Re: An architectural draft
  - From: Eliot Lear <lear@cisco.com>

Prev by Date: Re: An architectural draft
Next by Date: Re: An architectural draft
Previous by thread: Re: An architectural draft
Next by thread: Re: proxy AH (was: An architectural draft)
Index(es):
- Date
- Thread