I missed some of the discussion (Meetecho played up again), so maybe
there's an easier answer. But I think that mere computational
(CPU-hogging) puzzles are not very useful when the attacker (a desktop
machine on a botnet) is much more powerful than the legitimate client (a
last-year iPhone). And as Mike said, the attacker's resources are
cheaper, because he steals them.
One way to mitigate this problem is by limiting the competition to "new"
clients, those who haven't used the VPN for the last (say) 24 hours. The
gateway could hand out time limited, easy to validate, IP-bound cookies
to VPN clients. And a VPN client who presents this cookie to the gateway
is exempted from the puzzle game (but not from the IKE cookie, because
it proves a legitimate source address which is bound to the cookie).
And even if we add such a mechanism, we still have the problem of
attackers being favored by this proposal, compared to weak legit
clients. So maybe puzzles are not a very good idea after all.
Thanks,
Yaron
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
