Hi Nico
On 26/11/2014 22:17, "Nico Williams" <[email protected]> wrote: >For VPN SGs using puzzles all the time would be fine, but for VPN >clients it'd be very rude to use them when acting as the responder! The >protocol may be symmetric, but some uses aren't. > >VPN clients probably don't talk to more than one SG at a time, so why >should they need puzzles at all? For single-user VPN clients there's >not much of a DDoS problem. Even for BITW uses.. > >For end-to-end IPsec using complex puzzles all the time would probably >not be useful at all, but using them as load goes up would be very >appropriate. Is this for 2 peers with a site-site IPsec (with known addresses)? I agree that there would be little need for puzzles as security controls - IPS/Firewall (even Cookie Notifications) etc would be better suited to mitigating an attack as the peer address is known and would need to be spoofed. > >Another variable worth using for determining puzzle complexity is the >responder's estimated cost of holding the half-open IK_SA and completing >the exchange. For a protocol where the initiator can demonstrate having >recently been a productive peer there may be no need to make the >initiator spend a lot of time on puzzles -- no need to punish the >innocent parties, when you know who they are (but innocence is difficult >to determine). This is interesting, so maybe you could have a token that is bound to identity, if you have completed a puzzle it's valid for x period of time? This is presented to over-ride having to complete a puzzle? cheers
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
