Valery Smyslov <[email protected]> wrote: > We came to the problem that weak clients cannot solve strong puzzles, > so using puzzles for DDoS protection makes legitimate weak clients > uncapable to establish IKE SA. Then I thought that probably we can use > some other resource, that is available for weak clients to solve puzzles.
Sure, there could also be some interface to OAUTH2.
> This approach has some potential drawbacks.
> 1. CAPTCHA is usually rather big, so we could run into fragmentation
> problem in IKE_SA_INIT.
I would think that reference by value is the wrong approach, it should be a
URL.
> 2. Th difficulty of CAPTCHA is somewhat unclear, the progress
> in OCR technology could make this kind of puzzles too weak
> and attackers would indicate their preference to get this kind of
> puzzles.
> 3. This solution is sutable for smartphones, however there are
> many weak clients that are not smartphones (besides IoT world
> that could be some SOHO devices, like sensors, home appliance,
> SOHO routers etc.).
It seems to me there can not be a one-size-fits all approach.
Focus on a smaller scope of problem.
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
