Hi Dave,
thank you for your review.
I just completed a review of the DDoS draft. I fixed a number of grammar and wording issues. I would like to issue a
pull request, but I don't have access to the site yet. I hope to get that resolved ASAP and then submit the pull
request.
While I was reviewing the draft I noticed a couple of small things.
In section 6, the text reads:
When there is no general DDoS attack, it is suggested that no cookie or puzzles be used. At this point the only
defensive measure is to monitor the number of half-open SAs, and setting a soft limit per peer IP or prefix. The soft
limit can be set to 3-5, and the puzzle difficulty should be set to such a level (number of zero-bits) that all
legitimate clients can handle it without degraded user experience.
This paragraph is confusing since the first sentence suggests that no puzzles are used and the last sentence suggests
a puzzle difficult value. Should the puzzle text be removed from the last sentence?
How about the following?
When there is no general DDoS attack, it is suggested that no cookie or puzzles be used. At this point the only
defensive measure is to monitor the number of half-open SAs, and setting a soft limit per peer IP or prefix. The soft
limit can be set to 3-5 to support DoS detection. If puzzles are used, the difficulty should be set to such a level
(number of zero-bits) that all legitimate clients can handle it without degraded user experience.
I see your point. I'd rather make a minor change to your text:
When there is no general DDoS attack, it is suggested that no
cookie or puzzles be used. At this point the only defensive
measure is to monitor the number of half-open SAs, and setting a
soft limit per peer IP or prefix. The soft limit can be set to
3-5. If the puzzles are used, the puzzle difficulty should be set to
such a level
(number of zero-bits) that all legitimate clients can handle it
without degraded user experience.
(since Soft Limit is not intended to detect DoS attack).
Two paragraphs down the text reads:
When cookies are activated for all requests and the attacker is still managing to consume too many resources, the
Responder MAY increase the difficulty of puzzles imposed on IKE_SA_INIT requests coming from suspicious
nodes/prefixes. It should still be doable by all legitimate peers, but it can degrade experience, for example by
taking up to 10 seconds to solve the puzzle.
This assumes that puzzles are already in use, which might not be the case based on the earlier paragraph. Perhaps the
following text can be used instead:
When cookies are activated for all requests and the attacker is still managing to consume too many resources, the
Responder MAY start to use puzzles for these requests or increase the difficulty of puzzles imposed on IKE_SA_INIT
requests coming from suspicious nodes/prefixes. This should still be doable by all legitimate peers, but the use of
puzzles at a higher difficulty may degrade the user experience, for example by taking up to 10 seconds to solve the
puzzle.
Works for me.
Section 7.2.1 contains the sentence:
The Responder MUST NOT use puzzles in the IKE_AUTH exchange unless the puzzle has been previously presented and solved
in the preceding IKE_SA_INIT exchange."?
Should this state "unless the puzzle" or "unless a puzzle"? It seems like the
latter is what was intended.
Sure, the latter was an intended meaning. Thank you.
Regards,
Valery.
Thanks,
Dave
David Waltermire
Information Technology Laboratory | Computer Security Division
National Institute of Standards and Technology
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
