On Aug 4, 2015, at 3:01 PM, Paul Hoffman <paul.hoff...@vpnc.org> wrote: > +1 to Donald's response, and -1 to Ted Lemon calling cookies a "kludge".
Sigh. The actual proposal, particularly the key rollover bit, is quite elegant, if a bit underspecified, so you’re right to call me out for this choice of terminology. I called it a kludge because it is an attempt to use something that makes sense in one context in a different context where it won’t work very well. It makes sense with IKE because you are preventing key spamming attacks from consuming massive amounts of CPU. It wouldn't make sense to use in combination with TSIG because TSIG doesn’t use public keys. In the particular use case that has been proposed, it is pure speculation that it would actually deliver any benefit at all, but it’s pretty easy to enumerate the costs: twice as many packets sent to clients that don’t implement it, which will be most clients, and a number approaching twice as a limit as many packets for clients that _do_ support it, depending on how many of them are repeat customers.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
