Yoav Nir <ynir.i...@gmail.com> wrote: >> Graham Bartlett (grbartle) <grbar...@cisco.com> wrote: >>> Now the only issue I can see is alluded to in the draft, where a VPN >>> headend is serving clients with varying resource. So say a botnet >>> attacks this headend and the puzzle is enabled, you have some clients >>> with a lot of resource (that require a hard puzzle) and some mobile >>> devices with minimal (that require an easier puzzle). How do you >>> identify each? The only way I can think is you must do this once the >>> device has authenticated itself - else how do you know who they are? >> >> I have two observations here. >> >> The first is that while the botnet can pull in potentially hundreds of >> teraflops of computation in order to solve a harder puzzle, it has >> communication overhead in order to do that; >> >> The second observation is that the puzzle has to be trivially >> parallelizable in order for the botnet (or even the multi-core mobile >> phone!) to do better than a single CPU.
> I don’t think this is the best strategy for the botnet. Rather than > pool all their resources to solve a single puzzle (bitcoin-style), > wouldn’t it be better for each node to act like a legitimate client and > solve its own puzzle in however long it takes? I agree that this might be a better strategy for the botnet, and I think that we can more easily defend against. So the goal here is to make sure that we select puzzles which drive the botnet towards this. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | network architect [ ] m...@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
pgplsPnw9Tg_7.pgp
Description: PGP signature
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec