Hi Yoav Here's some words I penned regarding some ideas I had to compliment your RFC.
cheers RFC5685 describes the use of IKEv2 redirect to a client to another VPN gateway. For large scale implementations this can be used to redirect a client to a geographically closer gateway, thereby group clients by location. Eg. A client in London will initially request a session to vpn.example.com, based on the clients source IP address they are redirected to the European VPN gateway (eu.vpn.example.com), which only serves clients from Europe and prevents any non-European IP addresses connecting. Using this method geographically grouped IP addresses can be grouped to gateways, therefore preventing attackers not in the geographic group from connecting. This obviously doesn't prevent attackers from spoofing an IP address which would be accepted by the gateway. By limiting clients by location, IP TTL security mechanisms can be employed to accept certain connections from hosts a small number of hops away, therefore assisting to mitigate an attack from hosts distributed over the globe. On 27/10/2014 21:48, "internet-dra...@ietf.org" <internet-dra...@ietf.org> wrote: > >A New Internet-Draft is available from the on-line Internet-Drafts >directories. > This draft is a work item of the IP Security Maintenance and Extensions >Working Group of the IETF. > > Title : Protecting Internet Key Exchange (IKE) >Implementations from Distributed Denial of Service Attacks > Author : Yoav Nir > Filename : draft-ietf-ipsecme-ddos-protection-00.txt > Pages : 12 > Date : 2014-10-27 > >Abstract: > This document recommends implementation and configuration best > practices for Internet-connected IPsec Responders, to allow them to > resist Denial of Service and Distributed Denial of Service attacks. > Additionally, the document introduces a new mechanism called "Client > Puzzles" that help accomplish this task. > > >The IETF datatracker status page for this draft is: >https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ddos-protection/ > >There's also a htmlized version available at: >http://tools.ietf.org/html/draft-ietf-ipsecme-ddos-protection-00 > > >Please note that it may take a couple of minutes from the time of >submission >until the htmlized version and diff are available at tools.ietf.org. > >Internet-Drafts are also available by anonymous FTP at: >ftp://ftp.ietf.org/internet-drafts/ > >_______________________________________________ >IPsec mailing list >IPsec@ietf.org >https://www.ietf.org/mailman/listinfo/ipsec
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec