On Wed, Nov 26, 2014 at 02:01:22PM +0200, Yoav Nir wrote: > Puzzles limit the rate at which a particular host can create half-open > SAs. If the puzzle takes 2 seconds to solve then a particular > initiator (whether legitimate initiator, or a node in a bot-net) can > create at most 1 half-open SA every 2 seconds. > > Another way to achieve the same goal is to limit the half-open SA > lifetime to 10 seconds and have a hard limit of 5 concurrent half-open > SAs per peer. Sure, the attacker will be able to open 5 half-open SAs > within one second, but will then be rejected for the next 9. > > So why do I think we still need puzzles?
I agree with your and Michael's points, but do recall that initiator/responder roles are exchangeable, and even when initiators are "clients" they might have to speak to many other responders. Puzzles/ puzzle complexity, seems like a good device for throttling half-open IKE SA creation when under load, but it might not be a good idea to have 2s puzzles on all the time. Nico -- _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
