I don't buy Yoav's argument but I also think puzzles should stay.
The reason is, puzzles work well in the case where a botnet is attacking
multiple gateways concurrently. Each gateway can rate-limit the traffic
directed to it, but unless we associate a significant cost with each
message, the botnet is as effective against each of the gateways as it
would be if it was only attacking a single gateway. With puzzles, the
"good guys" are helping one another without needing to communicate
between them.
Thanks,
Yaron
On 11/26/2014 06:46 PM, Michael Richardson wrote:
Yoav Nir <ynir.i...@gmail.com> wrote:
> I don’t like hard limits. Hard limits allow a very easy form of DoS. If
> everyone in this hotel is behind a single NAT device, then it’s fairly
> easy for me to create multiple half-open SAs from my room until I hit
> the hard limit. After that, everyone will be effectively blocked from
Except now apply CGN in a IPv4-address poor country, and it's not just the
people in the hotel, it's potentially everyone in that area. Given 300-odd
well distributed, compromised hosts, one could keep the half-SA table full
for much of the developing world...
So I buy your argument.
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
