On Tue, Mar 1, 2016 at 9:03 PM, Waltermire, David A. (Fed) <[email protected]> wrote: All:With the draft-ietf-ipsecme-ddos-protection-04 freshly minted, I believe the draft is shaping up nicely, but needs additional review. To that end, this message starts a Working Group Last Call (WGLC) for draft-ietf-ipsecme-ddos-protection-04. The version to be reviewed is https://tools.ietf.org/id/draft-ietf-ipsecme-ddos-protection-04.txt. Please send your comments, questions, and edit proposals to the WG mail list until March 18, 2015. If you believe that the document is ready to be submitted to the IESG for consideration as a Standards Track RFC please send a short message stating this.
I think the document is well written with respect to DDOS. I like everything except the puzzles. It seems a lot of complexity for no gain, especially with the problem being that botnets are better at puzzle solving then mobile phones who want to not drain their batteries. I would prefer this document to proceed without the puzzles, but I won't object to it if it remains in the document. As an implementor, it would be extremely unlikely that I would implement puzzles. Recently, I also thought about amplification attacks, which is not covered by the document. For instance, legitimate clients could pad their IKE_INIT Request as a way to tell the responder they are not just using the responder to amplify a DDOS attack. I am thinking of making that the default for some Opportunistic IPsec so it cannot be abused for amplification. I'd like to see that added to the draft if possible. Or if this document would not proceed, I would be tempted to write a draft for this idea. Paul _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
