On 19/03/15 23:43, Zhiwei Yan wrote: > Hi, all, I think it's better that this draft contains some solution > about the client authentication to decrease/avoid the DoS attack. But > it's really not the focus of this draft. In order to solve this > problem, many other schemes can be used, such as DHCP, SAVI and DANE. > Anyway, this draft can make use of them to authenticate the client.
I, and probably others, would fairly strongly object if the work of this group that is intended to enhance privacy required all clients to be authenticated, and hence identified, and thus give up privacy. There may be a place for authenticated clients in this space (e.g. perhaps within an Enterprise n/w) but that had better not be the main mitigation for potential DoS attacks. S. > > Best Regards, Zhiwei Yan > >> 在 2015年3月20日,上午12:02,Paul Wouters <p...@nohats.ca> 写道: >> >>> On Thu, 19 Mar 2015, W.C.A. Wijngaards wrote: >>> >>> Could perhaps a different algorithm, like ED25519, provide >>> better performance, and would that performance then be adequate? >> >> Different algorithms differ in performance how much? A factor 2? >> Maybe 10? Compared to a botnet, I don't think that it is very >> relevant at all. >> >>> The draft allows negotiation of a symmetric key so normally a lot >>> of asymmetric operations can be avoided by the use of a cache. >>> >>> For a cookie mechanism, there is the cookie draft from Eastlake >>> and Andrews. >> >> Demanding source ip verification before allowing crypto seems a >> very good idea with no real impact other than rejecting spoofed IPs >> or old clients - and old clients won't support crypto anyway. >> >> Paul >> >> _______________________________________________ dns-privacy mailing >> list dns-privacy@ietf.org >> https://www.ietf.org/mailman/listinfo/dns-privacy > > _______________________________________________ dns-privacy mailing > list dns-privacy@ietf.org > https://www.ietf.org/mailman/listinfo/dns-privacy > _______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy
