On Thu, 24 Sep 2020, Valery Smyslov wrote:
We have a server that is under a serious DDoS attack. It is sending back
COOKIES and soon might have too many half open SA's to even accept any
new connections with COOKIES.
I fail to understand why server might have too many half open SA's
with the proposed extension. Note, that it remains stateless until
the client returns COOKIE, exactly as it happens now.
That's true. I was assuming a bunch of these would be advanced enough
to receive packets back too, but then fail authentication. So they
would linger as half-open for a while. If it was just an attack of
spoofed packets, then you would be correct.
The problem is not the delay. The problem is that sometime
it caused failed authentication, that definitely must not
happen as a result of bad network. If client receives
fails due to exchange timeout, it's clear for him/her that
this is transient error and an attempt should be retried.
If it receives response AUTHENTICATION_FAILED
it might suspect that something is wrong with his/her credentials
and probably won't retry until figuring this out.
Even if this happens rarely, it means that the protocol is flawed.
That is a fair point.
Paul
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
