|
Posted by on May 1, 2005, 7:31 am
If you were Registered and logged in, you could reply and use other advanced thread options
hello,
Why DoS,DDoS,Man in middle attacks are there still in a Internet
world besides WE got a better protocol IPSEC? Does that mean IPSec is
not used by all Internet? Why? or IPSec is having weakness?
what is that?
|
|
Posted by Walter Roberson on May 1, 2005, 3:51 pm
If you were Registered and logged in, you could reply and use other advanced thread options
: Why DoS,DDoS,Man in middle attacks are there still in a Internet
:world besides WE got a better protocol IPSEC? Does that mean IPSec is
:not used by all Internet? Why? or IPSec is having weakness?
:what is that?
Yes, IPSec has a very large weakness.
In order for IPSec to work, the endpoint devices have to be
able to establish to their satisfaction that they are
communicating with the remote device that they think they are
communicating with. That requires that the two device
owners have found some secure "out of band" method of exchanging
cryptographic information (look up "key distribution"); or else
that the devices have registered with a trusted third party
who is prepared to certify that the devices are who they say
they are.
How do you prove to that trusted third party that you
are who you say you are? You have to either prove it to them
directly, or else you have to prove it to someone that the
third party trusts (or to someone trusted by the party trusted
by the third party...) Ultimately though, you end up having
to prove your identity to -someone-. Now, how are you going to
*prove* your identity short of having your DNA sequenced?
Even leaving out identical twins, that doesn't prove you are
who you say you are: at best it establishes a unique identifier
that may be associated with you, whatever name you are going under
at the moment. Passports, driver's license, government ID cards --
those can all be forged with various degrees of ease, or one
can save the trouble of forging them by simply bribing [or being]
an appropriate official authorized to issue such documents.
{Check out the Corruption Perception Index, at http://www.icgg.org }
So in other words you can't effectively *prove* you are who you
say you are, because you might not *be* who you say you are
[and you might not even know it, if you were adopted at a young age.]
And imagine the cost of doing DNA sequence analysis on 5 billion
people around the Earth. Imagine even just the cost of doing a
microscopic government ID forgery check for a mere 100 million or
so people in wired "western" countries such as the USA, Canada,
Japan, UK, Germany...
In other words, there is no PRACTICAL way of having large numbers
of people [and devices] prove their identity to a level sufficient
to prevent "man in the middle" attacks.
You might ask, "But how about credit cards? People prove their
identity with credit cards every day!". The answer to this is that
stolen credit card numbers is big business, and that a level of
theft of goods and identity is a risk built in to the credit card
system, financed in part by the ~3% charge that credit card companies
ding the merchants for on every purchase. Credit cards are in fact
a good example of the many ways that lax identification measures
can go seriously wrong -- so to prevent man in the middle attacks
you have to do much better than what is done with credit cards.
Besides, think about it: What good would IPSec do against a DDoS?
Ten thousand systems all try to connect to you. You go through a
negotiation procedure and discover that they aren't who they say they
are, so you drop the connection. But in the meantime you've had to
go through the negotiation process, which is much more expensive than just
dropping the connection. In other words, you don't gain any useful
DDoS protection until the vast majority of systems (including home
systems) are under firm-enough identity control as to prevent them
from being "owned" by others.
And so what? -- if a virus-infested system half way around the world
manages to securely prove to you that it is who it claims it is, then
you get infested with the virus just as much as if they had done so
anonymously. Thus, to really crack down on viruses and trojans, it
would be necessary for IPSec to not just go down to the
device-to-device level, but rather for IPSec to be implemented at the
per-connection level, with the user continually being required to
securely prove his or her identity for EVERY connection requested [and
doing so in a method that was somehow fool-proof against electronic
sniffing... a secure token exchange or something like that.]
How much per person do you estimate that it would cost -you-
to prove solidly that a number of people were who they said they
were? Who would you employ to do the work, and how much would
you pay them? If they are paid anywhere even -close- to minimum
wage, and have little or no job security, then they have no strong
incentive to refuse bribes. Say 10 minutes of the time of someone
paid $US6 per hour... that's the equivilent of $US1 that would be
earned for processing any one person. If someone comes in and
offers $US100 or $US500, do you think that your workers are going
to say, "No! No! No! The $1 I'm being paid for this has earned
my integrity completely!" ? Would you not agree, then, that you
would effectively have to pay professional-level wages, say $US40000
per year or more? So the processing is probably going to cost you
a *mininum* of $US10... now multiply that by 10 million or more
"wired" households in the US alone... Where are you going to find
the $US100 million necessary for the project?
--
Ceci, ce n'est pas une idée.
|
|
Posted by Michael Pelletier on May 2, 2005, 4:51 am
If you were Registered and logged in, you could reply and use other advanced thread options
> hello,
> Why DoS,DDoS,Man in middle attacks are there still in a Internet
> world besides WE got a better protocol IPSEC? Does that mean IPSec is
> not used by all Internet? Why? or IPSec is having weakness?
> what is that?
IPSec is used to secure data between to or more parties. As to your
question, I think I understand it, "why doesn't the Internet use it", I
think you are asking why does not everyone use it when doing any
communication? First, overhead. Do you really need 3DES (or AES) encryption
when you do a google search? Second, IPSec came after IPv4 and as such most
applications were/are written for IPv4 which unfortunately is not very
secure. Now, if you need secure communications (VPN'ing into your work,
etc) then you can use IPSec.
Honestly, I do not fully understand you question so if I "missed" it I am
sorry.
Michael
--
"Microsoft isn't evil, they just make really crappy operating systems." -
Linus Torvald
|
| Similar Threads | Posted | | Can IPSec connect 2 VPN Clients or is ALWAYS an IPSec server needed ? | July 25, 2005, 7:40 pm |
| IPsec on IPv6 (ipsec-tools on Linux) - does it work? | July 27, 2007, 12:35 pm |
| HPSBUX02079 SSRT5957 - HP-UX IPSec Encapsulating Security Payload (ESP) Tunnel Mode Remote Unauthorized Disclosure of Encrypted Data | December 7, 2005, 2:48 pm |
| Looking for a new Network Security Solution | April 6, 2004, 5:46 am |
| Secure VPN Gateway a new solution to InterNet Security | June 1, 2006, 7:51 pm |
| Do you have Windows security software issue?? Here is the solution | April 14, 2008, 1:08 am |
| IPSEC ESP questions | May 10, 2005, 10:55 am |
| VxWorks & IPSec | March 22, 2007, 8:26 am |
| IPSEC Question | April 26, 2007, 6:42 pm |
| IPSec Question | April 26, 2007, 6:45 pm |
|
XML site map