Re: IS DoS security solution is IPSEC?

• Previous message: Al Dykes: "Re: NTFS Problem"
• In reply to: cranium.2003_at_gmail.com: "IS DoS security solution is IPSEC?"
• Next in thread: cranium.2003_at_gmail.com: "Re: IS DoS security solution is IPSEC?"
• Reply: cranium.2003_at_gmail.com: "Re: IS DoS security solution is IPSEC?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 1 May 2005 15:51:46 GMT

In article <1114957894.603133.254980@z14g2000cwz.googlegroups.com>,
 <cranium.2003@gmail.com> wrote:
: Why DoS,DDoS,Man in middle attacks are there still in a Internet
:world besides WE got a better protocol IPSEC? Does that mean IPSec is
:not used by all Internet? Why? or IPSec is having weakness?
:what is that?

Yes, IPSec has a very large weakness.

In order for IPSec to work, the endpoint devices have to be
able to establish to their satisfaction that they are
communicating with the remote device that they think they are
communicating with. That requires that the two device
owners have found some secure "out of band" method of exchanging
cryptographic information (look up "key distribution"); or else
that the devices have registered with a trusted third party
who is prepared to certify that the devices are who they say
they are.

How do you prove to that trusted third party that you
are who you say you are? You have to either prove it to them
directly, or else you have to prove it to someone that the
third party trusts (or to someone trusted by the party trusted
by the third party...) Ultimately though, you end up having
to prove your identity to -someone-. Now, how are you going to
*prove* your identity short of having your DNA sequenced?
Even leaving out identical twins, that doesn't prove you are
who you say you are: at best it establishes a unique identifier
that may be associated with you, whatever name you are going under
at the moment. Passports, driver's license, government ID cards --
those can all be forged with various degrees of ease, or one
can save the trouble of forging them by simply bribing [or being]
an appropriate official authorized to issue such documents.
{Check out the Corruption Perception Index, at http://www.icgg.org }

So in other words you can't effectively *prove* you are who you
say you are, because you might not *be* who you say you are
[and you might not even know it, if you were adopted at a young age.]
And imagine the cost of doing DNA sequence analysis on 5 billion
people around the Earth. Imagine even just the cost of doing a
microscopic government ID forgery check for a mere 100 million or
so people in wired "western" countries such as the USA, Canada,
Japan, UK, Germany...

In other words, there is no PRACTICAL way of having large numbers
of people [and devices] prove their identity to a level sufficient
to prevent "man in the middle" attacks.

You might ask, "But how about credit cards? People prove their
identity with credit cards every day!". The answer to this is that
stolen credit card numbers is big business, and that a level of
theft of goods and identity is a risk built in to the credit card
system, financed in part by the ~3% charge that credit card companies
ding the merchants for on every purchase. Credit cards are in fact
a good example of the many ways that lax identification measures
can go seriously wrong -- so to prevent man in the middle attacks
you have to do much better than what is done with credit cards.

Besides, think about it: What good would IPSec do against a DDoS?
Ten thousand systems all try to connect to you. You go through a
negotiation procedure and discover that they aren't who they say they
are, so you drop the connection. But in the meantime you've had to
go through the negotiation process, which is much more expensive than just
dropping the connection. In other words, you don't gain any useful
DDoS protection until the vast majority of systems (including home
systems) are under firm-enough identity control as to prevent them
from being "owned" by others.

And so what? -- if a virus-infested system half way around the world
manages to securely prove to you that it is who it claims it is, then
you get infested with the virus just as much as if they had done so
anonymously. Thus, to really crack down on viruses and trojans, it
would be necessary for IPSec to not just go down to the
device-to-device level, but rather for IPSec to be implemented at the
per-connection level, with the user continually being required to
securely prove his or her identity for EVERY connection requested [and
doing so in a method that was somehow fool-proof against electronic
sniffing... a secure token exchange or something like that.]

How much per person do you estimate that it would cost -you-
to prove solidly that a number of people were who they said they
were? Who would you employ to do the work, and how much would
you pay them? If they are paid anywhere even -close- to minimum
wage, and have little or no job security, then they have no strong
incentive to refuse bribes. Say 10 minutes of the time of someone
paid $US6 per hour... that's the equivilent of $US1 that would be
earned for processing any one person. If someone comes in and
offers $US100 or $US500, do you think that your workers are going
to say, "No! No! No! The $1 I'm being paid for this has earned
my integrity completely!" ? Would you not agree, then, that you
would effectively have to pay professional-level wages, say $US40000
per year or more? So the processing is probably going to cost you
a *mininum* of $US10... now multiply that by 10 million or more
"wired" households in the US alone... Where are you going to find
the $US100 million necessary for the project?

-- 
Ceci, ce n'est pas une idée.

• Previous message: Al Dykes: "Re: NTFS Problem"
• In reply to: cranium.2003_at_gmail.com: "IS DoS security solution is IPSEC?"
• Next in thread: cranium.2003_at_gmail.com: "Re: IS DoS security solution is IPSEC?"
• Reply: cranium.2003_at_gmail.com: "Re: IS DoS security solution is IPSEC?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]