Michael Richardson writes: > Yoav Nir <[email protected]> wrote: > > One proposal that I kind of liked (and I’m sorry I’ve forgotten who > > suggested it) was to relegate the puzzle to a second line of defense, > > through the use of some kind of anti-dos ticket. The ticket would be a > > bearer token (perhaps an encrypted timestamp) that would allow the > > bearer to get by with a much easier version of the puzzle. The > > Would this ticket be provided in a Notify, after AUTHentication, in a > previous PARENT-SA?
Wouldn't it be better to use IKEv2 session resumption (RFC 5723) for those clients coming back. I.e if you resume old existing session then you do not need to do puzzle... And after the resume, the ticket is usually changed again, so the ticket would always be fresh. -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
