It is probably a bit simpler, but less efficient.
With this try-and-catch approach you would need to perform
hash (or PRF) computations several times before rejecting
invalid puzzles. I'm in favor to minimize wasting of resourses
for solution, which primary goal is to defend against DoS attack.
----- Original Message -----
From: "Yoav Nir" <ynir.i...@gmail.com>
To: "Valery Smyslov" <sva...@gmail.com>
Cc: "Graham Bartlett (grbartle)" <grbar...@cisco.com>; "ipsec"
<ipsec@ietf.org>
Sent: Wednesday, December 03, 2014 6:06 PM
Subject: Re: [IPsec] Some speculations about puzzles
I think it’s simpler to keep a short list (a queue actually, but usually
with no more than 2-5 entries) or <difficulty-level ; secret> pairs.
Generate a new pair every 10 seconds or whenever the difficulty level needs
to change. Remember all entries for the last 20 seconds. Calculate the
cookie as described in the RFC.
When receiving a cookie, you try to validate it using all the remembered
secret-difficulty pairs (I guess you check for sufficiently many zeros
before you check for the hash), and let them in if one such pair validated.
Yoav
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
