Opened 8 years ago

Closed 7 years ago

#226 closed defect (wontfix)

Do we need puzzles at all?

Reported by: ynir.ietf@… Owned by: draft-ietf-ipsecme-ddos-protection@…
Priority: normal Milestone:
Component: ddos-protection Severity: -
Keywords: Cc:

Description

Puzzles limit the rate at which one attacker can create half-open SAs.

Rate-limiting by source address / prefix can achieve the same thing.

So maybe we don't need puzzles

Change History (3)

comment:1 Changed 8 years ago by ynir.ietf@…

Yoav Nir: rate-limiting by prefix has the potential to create a DoS issue rather than solve it if your limit is hard. What we really want is a soft limit, and then you need puzzles.

Also forgot to write: this was reported by Rene at the meeting and by Yaron on Jabber.

comment:2 Changed 8 years ago by ynir.ietf@…

  • Component changed from draft-ietf-ipsecme-ikev2bis to ddos-protection
  • Owner changed from paul.hoffman@… to draft-ietf-ipsecme-ddos-protection@…

comment:3 Changed 7 years ago by ynir.ietf@…

  • Resolution set to wontfix
  • Status changed from new to closed

The WG is satisfied that puzzles *are* needed. We have text about using them as a last resort, but they can help stop attackers where more severe measures would block legitimate initiators as well.

Note: See TracTickets for help on using tickets.