> On 31 May 2016, at 8:01 AM, Valery Smyslov <[email protected]> wrote: > > Hi Paul, > >>> On the other hand, if we go this way and give the puzzles stuff an >>> Experimantal status, then probably very few vendors (if any) will implement >>> it and the real problem of defending against >>> (D)DoS attacks will remain unaddressed. >> I don't think the puzzles implementation adoption will be much different from >> whether it is part of the ddos document or a stand-alone document. > > The concern is not about stand-alone puzzles document. It is about an > Experimental status > of that document versus Standards Track in the current draft. Vendors tend to > ignore Experimental RFCs.
The conventional wisdom is that vendors tend to ignore whatever status the IETF assigns to documents and implement whatever meets their goals. My preference is to keep it all in one document, and clearly state that the puzzle part of the document is OPTIONAL, meaning that you can comply with the RFC even without implementing it. There is a concern about an Initiator that does not implement puzzles connecting to a Responder that does. Things will work fine until there is a DoS attack and then we’re helping the attacker by denying service to the non-implementing Initiator. And that could happen between an Initiator and Responder, both of whom can claim compliance with the document. This isn’t great, but separating them into two documents does not make the problem go away. Yoav _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
