Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2495
Views
0
Helpful
2
Replies

IPSEC nonces and cookies

ahmed.abdelkhaleq
Level 1
Level 1

‎04-29-2017 08:08 AM - edited ‎02-21-2020 09:15 PM

1-what are the use of cookies in IPSEC phase1 ?? it is said it protect from man in the middle attach or replay attack but how it perform that ???

2-nonces which are exchanged in the 3,4 message in main mode are used as seeds for key generated later, what are other uses of nonces in IPSEC????

Labels:
0 Helpful
2 Replies 2

Nikhil Dabas
Level 1
Level 1

‎09-03-2019 10:16 AM

The cookies IC and RC that appear in the IPSec protocols above are officially
known as "anti-clogging tokens" in the relevant RFCs. These IPSec cookies
have no relation to Web cookies, which are used to maintain state across
HTTP sessions. Instead, the stated purpose of IPSec cookies is to make
denial of service, or DoS, attacks more difficult.

 

Read section 10.4.4 IPSec Cookies of Information Security Principles and Practice 2nd edition by Mark Stamp

0 Helpful

Nikhil Dabas
Level 1
Level 1
In response to Nikhil Dabas

‎09-03-2019 10:39 AM

Cookie serve as an identifier for the remainder of the messages in the protocol. 

 

Consider TCP SYN flooding, which is a prototypical DoS attack. Each
TCP SYN request causes the server to do a little work (create a SEQ number,
for example) and to keep some amount of state. That is, the server
must remember the so-called half-open connection so that it can complete
the connection when the corresponding ACK arrives in the third step of the
three-way handshake. It is this keeping of state that an attacker can exploit
to create a DoS. If the attacker bombards a server with a large number of SYN
packets and never completes the resulting half-open connections, the server
will eventually deplete its resources. When this occurs, the server cannot
handle legitimate SYN requests and a DoS results.

 

To reduce the threat of DoS in IPSec, the server Bob would like to remain
stateless as much as possible. The IPSec cookies are supposed to help Bob
remain stateless. However, they clearly fail to achieve their design goal. In
each of the main mode protocols, Bob must remember the crypto proposal,
CP, from message one, since it is required in message six when Bob computes
proofB. Consequently, Bob must keep state beginning with the first
message. The IPSec cookies therefore offer no significant DoS protection.

0 Helpful
Customers Also Viewed These Support Documents