I just completed a review of the DDoS draft. I fixed a number of grammar and wording issues. I would like to issue a pull request, but I don't have access to the site yet. I hope to get that resolved ASAP and then submit the pull request.
While I was reviewing the draft I noticed a couple of small things. In section 6, the text reads: When there is no general DDoS attack, it is suggested that no cookie or puzzles be used. At this point the only defensive measure is to monitor the number of half-open SAs, and setting a soft limit per peer IP or prefix. The soft limit can be set to 3-5, and the puzzle difficulty should be set to such a level (number of zero-bits) that all legitimate clients can handle it without degraded user experience. This paragraph is confusing since the first sentence suggests that no puzzles are used and the last sentence suggests a puzzle difficult value. Should the puzzle text be removed from the last sentence? How about the following? When there is no general DDoS attack, it is suggested that no cookie or puzzles be used. At this point the only defensive measure is to monitor the number of half-open SAs, and setting a soft limit per peer IP or prefix. The soft limit can be set to 3-5 to support DoS detection. If puzzles are used, the difficulty should be set to such a level (number of zero-bits) that all legitimate clients can handle it without degraded user experience. Two paragraphs down the text reads: When cookies are activated for all requests and the attacker is still managing to consume too many resources, the Responder MAY increase the difficulty of puzzles imposed on IKE_SA_INIT requests coming from suspicious nodes/prefixes. It should still be doable by all legitimate peers, but it can degrade experience, for example by taking up to 10 seconds to solve the puzzle. This assumes that puzzles are already in use, which might not be the case based on the earlier paragraph. Perhaps the following text can be used instead: When cookies are activated for all requests and the attacker is still managing to consume too many resources, the Responder MAY start to use puzzles for these requests or increase the difficulty of puzzles imposed on IKE_SA_INIT requests coming from suspicious nodes/prefixes. This should still be doable by all legitimate peers, but the use of puzzles at a higher difficulty may degrade the user experience, for example by taking up to 10 seconds to solve the puzzle. Section 7.2.1 contains the sentence: The Responder MUST NOT use puzzles in the IKE_AUTH exchange unless the puzzle has been previously presented and solved in the preceding IKE_SA_INIT exchange."? Should this state "unless the puzzle" or "unless a puzzle"? It seems like the latter is what was intended. Thanks, Dave David Waltermire Information Technology Laboratory | Computer Security Division National Institute of Standards and Technology _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
