> On 4 Mar 2016, at 5:29 PM, Paul Wouters <p...@nohats.ca> wrote: > >> On Tue, Mar 1, 2016 at 9:03 PM, Waltermire, David A. (Fed) >> <david.walterm...@nist.gov> wrote: >> All: >> >> With the draft-ietf-ipsecme-ddos-protection-04 freshly minted, I >> believe the draft is shaping up nicely, >> but needs additional review. To that end, this message starts a Working >> Group Last Call (WGLC) for >> draft-ietf-ipsecme-ddos-protection-04. >> >> The version to be reviewed is >> https://tools.ietf.org/id/draft-ietf-ipsecme-ddos-protection-04.txt. >> >> Please send your comments, questions, and edit proposals to the WG mail >> list until March 18, 2015. If you >> believe that the document is ready to be submitted to the IESG for >> consideration as a Standards Track RFC >> please send a short message stating this. > > I think the document is well written with respect to DDOS. I like > everything except the puzzles. It seems a lot of complexity for > no gain, especially with the problem being that botnets are better > at puzzle solving then mobile phones who want to not drain their > batteries.
I wish we had better numbers on the actual power of mobile phones. It’s all a question of how many times they can perform PRF-HMAC-SHA256 per second. Tommy? Regardless, FWIW I (with implementer hat on) would implement DDoS puzzles. As the draft suggests, they would be used selectively and only as a last resort. I also think that if we had IPsec everywhere as Paul would like, DDoS attacks on IKE responders (which is basically all of the Internet) would become much more attractive. As it is, with IPsec-based remote access the VPN gateway is an attractive target, so we should have more aggressive methods in our arsenal. Yoav _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
