> On Jan 23, 2015, at 11:28 AM, Graham Bartlett (grbartle) <[email protected]>
> wrote:
>
> Hi Paul
>
>
> Sorry for the late reply. Hopefully the following is more clear?
>
> When designing systems which will provide connectivity for
> non-authenticated users, the system SHOULD be designed with the capacity
> to support not only the maximum intended number of peers, but also include
> an additional number of sessions which are created due to malicious or
> erroneous behaviour. This safety margin will allow a system to still
> operate safely under load until it is exceeded.
I understand the sentiment, but this seems like a recommendation that can’t be
tested and can’t really be implemented either. The trouble is that the number
of malicious sessions is unbounded (and may be quite large in a DOS scenario).
It might be better simply to point out the limitations of the machinery:
because authentication is not provided in this case, the receiving system has
no way to distinguish legitimate peers from malicious ones. As a result, a
denial of service attack may prevent the intended number of legitimate peers
from communicating. Additional session (SA?) capacity may help in such cases.
My point is that this is definitely going to be a case of throwing some more
resources at the problem in the hopes it’s enough, but no way to predict
whether it’s good enough. Because of that, “SHOULD” seems inappropriate, and a
simple statement of the issue and the limitations of this new protocol is
better.
paul
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
