http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/226
<http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/226>
Hi.
I think this one we should get out of the way first.
Puzzles limit the rate at which a particular host can create half-open SAs. If
the puzzle takes 2 seconds to solve then a particular initiator (whether
legitimate initiator, or a node in a bot-net) can create at most 1 half-open SA
every 2 seconds.
Another way to achieve the same goal is to limit the half-open SA lifetime to
10 seconds and have a hard limit of 5 concurrent half-open SAs per peer. Sure,
the attacker will be able to open 5 half-open SAs within one second, but will
then be rejected for the next 9.
So why do I think we still need puzzles?
I don’t like hard limits. Hard limits allow a very easy form of DoS. If
everyone in this hotel is behind a single NAT device, then it’s fairly easy for
me to create multiple half-open SAs from my room until I hit the hard limit.
After that, everyone will be effectively blocked from initiating. So while this
is not a “nobody can connect to victim gateway” attack, it is “nobody in this
hotel can connect to victim gateway”. Soft limits are better. With soft limits
you start dishing out puzzles when you reach a certain threshold, and you never
completely block.
That’s why I think puzzles should stay.
Yoav
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
