Hi Paul,
thank you for your comments.
I think the document is well written with respect to DDOS. I like
everything except the puzzles. It seems a lot of complexity for
no gain, especially with the problem being that botnets are better
at puzzle solving then mobile phones who want to not drain their
batteries. I would prefer this document to proceed without the
puzzles, but I won't object to it if it remains in the document.
As an implementor, it would be extremely unlikely that I would
implement puzzles.
I agree that puzzles is a controversal thing. However currently we have no
better idea how at least to try to defend against powerful botnets. If you can
come up with such an idea, you are very welcome.
(W.Churchill said that democracy is the worst form of government,
except all those others that have been tried. [1]
I think that's a good analogy for puzzles.)
And note, that the way puzzles are used in the draft makes every
attempt to not discriminate those initiators that don't support puzzles
or cannot afford enough power to solve them. In other words -
puzzles mechanism in the draft is not an absolute barrier for
unsupported clients, it is just a first-class ticket for those who support and
afford.
Recently, I also thought about amplification attacks, which is not
covered by the document. For instance, legitimate clients could pad
their IKE_INIT Request as a way to tell the responder they are not just
using the responder to amplify a DDOS attack. I am thinking of making
that the default for some Opportunistic IPsec so it cannot be abused for
amplification. I'd like to see that added to the draft if possible. Or
if this document would not proceed, I would be tempted to write a draft
for this idea.
Could you, please, elaborate what scenario do you have in mind?
Paul
Regards,
Valery.
[1]
http://www.academia.edu/1877336/_It_has_been_said_that_democracy_is_the_worst_form_of_government_except_all_those_others_that_have_been_tried_Winston_Churchill
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
