Hi Michael, > >> I've implemented puzzles, but I'm not aware of any other > implementation. > >> > >> What about cookies - in stress tests they are used very intensively. > >> But I don't have any real life stats for them. > >> > >> Regards, > >> Valery. > > > I also implemented puzzles. So that makes two of us. > > Did you ever interop?
We didn't try, but I think we can do it eventually. > What is your criteria for enabling them? Do you do this automatically, or is > it an operator configuation to demand them? I can only speak for my code. There is a configuration option, that controls the using puzzles. You have the following options: - turn them off - always use them in both IKE_SA_INIT and IKE_AUTH when cookie is requested (which happens if the number of half-open SAs exceeds some configurable threshold) - always use them, but only in IKE_SA_INIT, when cookie is requested - use them only when cookie is requested and some other conditions are met (e.g. you may set a higher threshold for puzzles, than for cookies) You can also set a difficulty of puzzles. It is statically configured. >From my experiments there is a really small interval of complexity when puzzles are useful (so that they do require noticeable efforts from initiators and still are solved within reasonable time, e.g. a few seconds). From my recollection it is between 16-18 bits of complexity. Regards, Valery. > -- > Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting ) > Sandelman Software Works Inc, Ottawa and Worldwide _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
