![(please configure the [header_logo] section in trac.ini)](https://www.ietf.org/images/ietflogotrans.gif)
Opened 8 years ago
Closed 7 years ago
#226 closed defect (wontfix)
Do we need puzzles at all?
| Reported by: | ynir.ietf@… | Owned by: | draft-ietf-ipsecme-ddos-protection@… |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | ddos-protection | Severity: | - |
| Keywords: | Cc: |
Description
Puzzles limit the rate at which one attacker can create half-open SAs.
Rate-limiting by source address / prefix can achieve the same thing.
So maybe we don't need puzzles
Change History (3)
comment:1 Changed 8 years ago by ynir.ietf@…
comment:2 Changed 8 years ago by ynir.ietf@…
- Component changed from draft-ietf-ipsecme-ikev2bis to ddos-protection
- Owner changed from paul.hoffman@… to draft-ietf-ipsecme-ddos-protection@…
comment:3 Changed 7 years ago by ynir.ietf@…
- Resolution set to wontfix
- Status changed from new to closed
The WG is satisfied that puzzles *are* needed. We have text about using them as a last resort, but they can help stop attackers where more severe measures would block legitimate initiators as well.
Note: See
TracTickets for help on using
tickets.
Yoav Nir: rate-limiting by prefix has the potential to create a DoS issue rather than solve it if your limit is hard. What we really want is a soft limit, and then you need puzzles.
Also forgot to write: this was reported by Rene at the meeting and by Yaron on Jabber.