On Tue, 30 Sep 2014, Tero Kivinen wrote:
5) Each connections are usually quite long lived, i.e. devices make one connection to the gateway, and keep that connection up all the time, or at least very long time.
Can I have a pony with that? :) My experience is seeing many many short lives connections. Stupidly short, sucking the life out of the battery short.
6) Gateway can use IKEv2 redirect to distribute the attackers, i.e. it could even use some cloud service which provides first level protection
Interesting, but very scary....
Also the gateway can blacklist all failed attempts by clients, i.e. do not accept new connections from the same IP-address for some amount of seconds, or move them to end of queue.
That's too easy a DOS to abuse.
So I think the solution is something we can get working, and it will be combination of differnet protocols we already have, and some new protocols like the puzzle, and then it also includes description how to combine all of those.
Moar bells and whistles! :) Paul _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec