Yoav Nir <[email protected]> wrote: > I don’t like hard limits. Hard limits allow a very easy form of DoS. If > everyone in this hotel is behind a single NAT device, then it’s fairly > easy for me to create multiple half-open SAs from my room until I hit > the hard limit. After that, everyone will be effectively blocked from
Except now apply CGN in a IPv4-address poor country, and it's not just the people in the hotel, it's potentially everyone in that area. Given 300-odd well distributed, compromised hosts, one could keep the half-SA table full for much of the developing world... So I buy your argument. -- Michael Richardson <[email protected]>, Sandelman Software Works -= IPv6 IoT consulting =-
pgpH58tKnxa9S.pgp
Description: PGP signature
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
