Yoav Nir writes: > [with vendor hat on] > > Some of the IPsec gateways are not big devices with powerful CPUs. > There are VPN gateways that double as home routers and Firewalls/VPN > gateways specifically made for branch offices (think of the sales > office from Glengarry Glen Ross with 3 employees, some of whom are > always out). These gateways are made with general-purpose CPUs too > weak to put in anything but the lowest of low-end phones, plus they > come with a single core. Their ability to solve cryptographic > puzzles is even lower than that of phones. > > [hat off] > > So if a flood of IKE requests can make the center gateway > effectively lock out all the branch offices, then we are only > helping to make this DDoS attack successful.
Those offices should use bit of money and get static IP-address, so they can be configured to the VPN gateway so that for those IP-addresses we just do cookie exchange while under attack, but do not require puzzles... -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec