On Feb 8, 2015, at 1:20 PM, Yaron Sheffer <yaronf.i...@gmail.com> wrote:
I think we've come a full circle. We now have a proposal that makes
proof-of-work more deterministic for each type of client (which I find very
useful). But the weaker clients will always lose, no matter what POW solution
we choose. This has been a problem with this proposal from day one and it's a
limitation that we as a group need to decide whether to accept or not. In a
world where some clients are 100X more powerful than others, IMHO this result
is something we have to live with.
The only partial solution I see to this problem is to recommend using RFC 5723
session resumption, so that clients who have recently connected can reconnect
even in DoS situations.
Can a gateway sanely do session resumption when it is under DoS attack? That
is, can the gateway safely allocate CPU resources to a purported session
resumption?
--Paul Hoffman
Yes, of course. It just needs to verify the integrity (MAC) of the
received ticket (as easy or easier than our proposed puzzle
verification), and then the rest of the exchange is lighter-weight than
a typical IKE exchange. See
http://tools.ietf.org/html/rfc5723#section-4.3.2.
Thanks,
Yaron
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
