I don't buy Yoav's argument but I also think puzzles should stay.
The reason is, puzzles work well in the case where a botnet is attacking multiple gateways concurrently. Each gateway can rate-limit the traffic directed to it, but unless we associate a significant cost with each message, the botnet is as effective against each of the gateways as it would be if it was only attacking a single gateway. With puzzles, the "good guys" are helping one another without needing to communicate between them.
Thanks, Yaron On 11/26/2014 06:46 PM, Michael Richardson wrote:
Yoav Nir <ynir.i...@gmail.com> wrote: > I don’t like hard limits. Hard limits allow a very easy form of DoS. If > everyone in this hotel is behind a single NAT device, then it’s fairly > easy for me to create multiple half-open SAs from my room until I hit > the hard limit. After that, everyone will be effectively blocked from Except now apply CGN in a IPv4-address poor country, and it's not just the people in the hotel, it's potentially everyone in that area. Given 300-odd well distributed, compromised hosts, one could keep the half-SA table full for much of the developing world... So I buy your argument. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec