On Mon, 22 Sep 2014, Tero Kivinen wrote:
Yaron Sheffer writes:
This is a call for adopting draft-nir-ipsecme-puzzles-00 as a WG
document. Please respond to this mail with a Yes or No and a short
rationale, at latest by Friday Sep. 26.
So I think this is item we should work on, but I think there is quite
a lot of research and work in here to get something that would be good
way to solve this, and as we are not in hurry (meaning we are not
seeing such attacks now), we can use some time to get really good
solution out.
I agree with Tero. It's worth thinking about, but the current solution
based on CPU power seems to be in favour of the attacker, not the
legitimate client. It would be nice if we can come up with a better
solution that gives clients a better advantage.
For example, I think currently, you are better of checking for the the
CERTREQ SHA1 payload to determine which is a legitimate client, although
it does take more processing of the payloads. And of course the SHA1 is
not a very well kept secret....
So, I'm in favour of adoption of the document, but not in favour of the
currently proposed CPU-bound puzzle solution.
Paul
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
