Re: [IPsec] Cost-efficient quantum-resistant DoS protection

2021-11-11 Thread Yoav Nir
> On 10 Nov 2021, at 16:41, Michael Richardson wrote: > > > Yoav Nir wrote: Tero Kivinen wrote: >> Even without surpassing the 64KB limit, this must be a concern. >> IKEv2's cookie mechanism and puzzles try to increase the cost of the >> attacker per each connection. Now,

Re: [IPsec] Cost-efficient quantum-resistant DoS protection

2021-11-11 Thread Valery Smyslov
Hi Michael, > >> I've implemented puzzles, but I'm not aware of any other > implementation. > >> > >> What about cookies - in stress tests they are used very intensively. > >> But I don't have any real life stats for them. > >> > >> Regards, > >> Valery. > > > I

[IPsec] I-D Action: draft-ietf-ipsecme-mib-iptfs-01.txt

2021-11-11 Thread internet-drafts
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the IP Security Maintenance and Extensions WG of the IETF. Title : Definitions of Managed Objects for IP Traffic Flow Security Authors : Don Fedyk

[IPsec] I-D Action: draft-ietf-ipsecme-yang-iptfs-03.txt

2021-11-11 Thread internet-drafts
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the IP Security Maintenance and Extensions WG of the IETF. Title : A YANG Data Model for IP Traffic Flow Security Authors : Don Fedyk

Re: [IPsec] Potential issue with draft-ietf-ipsecme-ikev2-intermediate

2021-11-11 Thread Paul Wouters
On Thu, 11 Nov 2021, Tero Kivinen wrote: My suggestion (as an individual not as a chair) is to add text to security considerations section where we point out that implementations should limit the number of IKE_INTERMEDIATE exchanges they allow to something sensible, like 10 or so. These are

Re: [IPsec] WG Adoption call for draft-btw-add-ipsecme-ike

2021-11-11 Thread mohamed.boucadair
Hi Tommy, All good points. Thanks. Please see inline. Cheers, Med > -Message d'origine- > De : IPsec De la part de Tommy Pauly > Envoyé : jeudi 11 novembre 2021 15:08 > À : Tero Kivinen ; ipsec@ietf.org > Objet : Re: [IPsec] WG Adoption call for draft-btw-add-ipsecme-ike > > I

[IPsec] Potential issue with draft-ietf-ipsecme-ikev2-intermediate

2021-11-11 Thread Tero Kivinen
Valery Smyslov writes: > So, the question to the WG is - what should we do with this: > > 1. Re-define calculation of IntAuth to make it constant in size. > This will most probably require another WGLC and will break > interoperablity of existing products. The latter seems not so >

Re: [IPsec] WG Adoption call for draft-btw-add-ipsecme-ike

2021-11-11 Thread Tommy Pauly
I support adoption of this work. The mechanism of specifying the authentication domain name and service parameters is sound, and the right direction. I do agree with Paul Wouter’s comments, and I think the parts of the document that deal with requirements for config requests need work. Ideally,

Re: [IPsec] WG Adoption call for draft-btw-add-ipsecme-ike

2021-11-11 Thread mohamed.boucadair
Hi Paul, Please see inline. Cheers, Med Orange Restricted > -Message d'origine- > De : Paul Wouters > Envoyé : mercredi 10 novembre 2021 23:24 > À : BOUCADAIR Mohamed INNOV/NET > Cc : Paul Wouters ; ipsec@ietf.org; draft-btw-add- > ipsecme-...@ietf.org; Tero Kivinen > Objet : Re: