Hi Valery,
Going back to your original message (I guess not everyone read it to the
end :-)
I don't understand how puzzles for IKE_AUTH can be mandatory without
breaking the protocol. The responder doesn't even know that the
initiator supports puzzles. At the very least, we would need to add a
"puzzles supported" notification.
And again for IKE_AUTH, I don't see why with fragmentation you need one
puzzle solution per fragment. The major CPU cost (DH computation,
certificate stuff and decryption) comes once, after the message is
re-assembled. So it seems to me only one puzzle response is needed for
the entire message.
Thanks,
Yaron
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
