Hi, On 26 May 2016, at 4:12 PM, Valery Smyslov <[email protected]> wrote:
> Hi, > > in Buenos-Aires it was expressed a proposal to split the DDoS protection > draft into two. One of them would > describe possible kinds of (D)DoS attacks and would suggest some counter > measures to thwart them without > introducing anything new into the IKEv2 protocol. > The other document (with Experimental status) would describe the puzzles and > would define a new IKEv2 extension defending against (D)DoS attacks using > puzzles. > > The main motivation for such a proposal was a concern > that puzzles mechanism would not be as effective as it was initially intended > to be, and might even make things worse for "small" devices. > On the other hand, if we go this way and give the puzzles stuff an > Experimantal status, then probably very few vendors (if any) will implement > it and the real problem of defending against > (D)DoS attacks will remain unaddressed. > > So, what folks think about this proposal? > > Regards, > Valery & Yoav. One more data point. My employer has implemented puzzles in older versions of our remote access client and gateway. It worked fine, but we don’t have any numbers on whether it actually stopped DoS attacks. We ended up abandoning it for IPR reasons, which is why this draft uses an entirely different kind of puzzle. Regards, Yoav _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
