On Sep 23, 2014, at 9:24 PM, Michael Richardson <[email protected]> wrote:
> > Yoav Nir <[email protected]> wrote: >> One proposal that I kind of liked (and I’m sorry I’ve forgotten who >> suggested it) was to relegate the puzzle to a second line of defense, >> through the use of some kind of anti-dos ticket. The ticket would be a >> bearer token (perhaps an encrypted timestamp) that would allow the >> bearer to get by with a much easier version of the puzzle. The > > Would this ticket be provided in a Notify, after AUTHentication, in a > previous PARENT-SA? Since it’s provided by the responder, it can go in the AUTH response. And yes, it’s a “have an easier time getting in next time” kind of ticket, so we don’t need solid replay protection, just best effort replay protection. Come to think of it, the mechanisms should only be part of the draft. The purpose of the draft is DDOS protection. So it should cover all aspects: aging policy for the half-open SA database, limiting half-open SAs from single IPv4 addresses or IPv6 prefixes, probably some other things. There’s more to protecting a server on the internet than just implementing a protocol extension. Yoav _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
