On Fri, Mar 10, 2023 at 4:12 AM Mohit Sahni <msa...@paloaltonetworks.com> wrote:
[ proposed changes / confirmations in the xml file ] I have read the xml diff and I agree with all changes made. > Just noticed an incomplete response for this comment, responding again to > it. > > >The next bullet I just do not understand: > > > > In order to to reduce the risks imposed by DoS attacks, the > > implementations SHOULD optimally use the available datagram size > > i.e. avoid small datagrams containing partial CMP PKIMessage data. > > > >Please explain what is meant here and/or rephrase it. > > <M.S.>The intent here is to instruct clients to send CMP messages in as > few packets as possible. Fragmentation of CMP messages may cause the server > to buffer packets which will consume resources on the server. With clients > instructed to send CMP messages in as few packets as possible, servers can > choose to ignore fragmented CMP messages to mitigate such DOS attacks. > > So maybe: Implementations SHOULD use the available datagram size and avoid small datagrams containing partial CMP PKIMessage data in order to reduce memory usage for packet buffering. Please submit a new version to the datatracker with these changes, so we can start the IETF Last Call. Paul
_______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
