Opened 7 years ago

#230 new enhancement

Use puzzles for DoS protection within an IKE SA

Reported by: ynir.ietf@… Owned by: draft-ietf-ipsecme-ddos-protection@…
Priority: normal Milestone:
Component: ddos-protection Severity: Active WG Document
Keywords: Cc:


Earlier versions of the draft did not cover DoS by an authenticated client. With the approval of NULL-auth, the fact that a peer has a valid IKE SA is less of an indication that it is not an attacker.

At IETF 92 the question was asked if we wanted to use puzzles within encrypted IKE, so that a peer with an IKE SA is not able to needlessly rekey a child SA (with PFS), flood the responder with liveness checks, or do other kinds of nefarious IKE.

Change History (0)

Note: See TracTickets for help on using tickets.