Great point. Puzzles a good tool that will be needed if/when ddos becomes a serious issue. (I can't think of a silver bullet which will solve this)
They should also not be mandatory (with the option to be configurable as per cookie notifications) as I would assume some hosts will never be able to support these.. cheers On 26/11/2014 20:02, "Nico Williams" <[email protected]> wrote: >On Wed, Nov 26, 2014 at 02:01:22PM +0200, Yoav Nir wrote: >> Puzzles limit the rate at which a particular host can create half-open >> SAs. If the puzzle takes 2 seconds to solve then a particular >> initiator (whether legitimate initiator, or a node in a bot-net) can >> create at most 1 half-open SA every 2 seconds. >> >> Another way to achieve the same goal is to limit the half-open SA >> lifetime to 10 seconds and have a hard limit of 5 concurrent half-open >> SAs per peer. Sure, the attacker will be able to open 5 half-open SAs >> within one second, but will then be rejected for the next 9. >> >> So why do I think we still need puzzles? > >I agree with your and Michael's points, but do recall that >initiator/responder roles are exchangeable, and even when initiators are >"clients" they might have to speak to many other responders. Puzzles/ >puzzle complexity, seems like a good device for throttling half-open IKE >SA creation when under load, but it might not be a good idea to have 2s >puzzles on all the time. > >Nico >-- > >_______________________________________________ >IPsec mailing list >[email protected] >https://www.ietf.org/mailman/listinfo/ipsec
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
