IETF Logo Mail Archive

Re: [IPsec] Status of draft-ietf-ipsecme-ddos-protection

Yoav Nir <ynir.ietf@gmail.com> Thu, 26 May 2016 14:26 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0138812D6E1 for <ipsec@ietfa.amsl.com>; Thu, 26 May 2016 07:26:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sclLRWXNsLKy for <ipsec@ietfa.amsl.com>; Thu, 26 May 2016 07:25:59 -0700 (PDT)
Received: from mail-wm0-x234.google.com (mail-wm0-x234.google.com [IPv6:2a00:1450:400c:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 733F712D0E5 for <ipsec@ietf.org>; Thu, 26 May 2016 07:25:59 -0700 (PDT)
Received: by mail-wm0-x234.google.com with SMTP id n129so229871913wmn.1 for <ipsec@ietf.org>; Thu, 26 May 2016 07:25:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=EyCJOM/X+NterlMG3yTqugy13YdrJ7217Ackg3HUwWk=; b=xlW9/cexQOoYpejkCSMsEy0rCjEiHPBzNE9JOy4vJsCw2bLZgCbYx/Z4b9YAJykpQB xX7ThjSXdCT2k9yDuYUOeUKCZMmkcS7B4/rYPdU1NhwcZJVtYKVRpeT5K1u0Eopi+qBe WBnPOF6QONLYhfDbFhzgrz3s+3lHCG+7Fdb1juXTSyMj0h50pil1RlwelBWBCgf4G2Hn kp5rme4KBNBBX6kTDMo7geRM/XYNt6MTCXN+Q8i9b2xNysGa/T5pc+bc3tbBSVUjt7Qc mWHEoU3Uw+O0OEux+9JnmesgADFOVtrVUy7hcwg8IdpVHIaRl7Y9FM7+YOATDM/y3+rG gD3g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:mime-version:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=EyCJOM/X+NterlMG3yTqugy13YdrJ7217Ackg3HUwWk=; b=cVY7LggqciIYzr6eaoLmPoUdXcfaft2E7E2Dhkv+MU7t3xkM5hOKGlFwnuINBoeRK6 Oeu+GiVPgDAwgGEY91/bVcspd+oVm6YlKzAZfFYoyr32T1sklJ1W0tvTIH2QiOGslHzj 39u/aTCVdrjLGVwL7uFU/jRqJL9N0OkxGdVXGCFGIlBVDXMLmUXJng+wUMhKHmZLbhjI AHd3PnPksh6XEvHsdGbxGvS79aVrVWg9CzOqJhb7VgeEo7ZvV6uzfSH/mqO83sLaUlBm dfTh81WEdL5f2sYqV1ciOB2DFftE7DBmCrIZf2b1RErAm0AGgJaiP0JFHTvRZ/Q7/Nkc DOyA==
X-Gm-Message-State: ALyK8tL4eCABdnECvzg6tvaWEL/3AkdjUGBtr28mcsKSjmQOsAfUiimb8R9V+EpuZnD0cg==
X-Received: by 10.28.131.80 with SMTP id f77mr4183259wmd.80.1464272758038; Thu, 26 May 2016 07:25:58 -0700 (PDT)
Received: from [172.24.249.173] (dyn32-131.checkpoint.com. [194.29.32.131]) by smtp.gmail.com with ESMTPSA id n15sm14634291wjr.1.2016.05.26.07.25.56 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 26 May 2016 07:25:56 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Content-Type: text/plain; charset="utf-8"
From: Yoav Nir <ynir.ietf@gmail.com>
X-Priority: 3
In-Reply-To: <860C938B60E24C76A1749A1563D53A55@buildpc>
Date: Thu, 26 May 2016 17:25:53 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <66526EB9-FFF0-4D99-B960-15990AF6F161@gmail.com>
References: <860C938B60E24C76A1749A1563D53A55@buildpc>
To: Valery Smyslov <svanru@gmail.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/VpWVa2KB-Z5irdWjGMVpMUOJYSI>
Cc: ipsec@ietf.org
Subject: Re: [IPsec] Status of draft-ietf-ipsecme-ddos-protection
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 May 2016 14:26:01 -0000

Hi,

On 26 May 2016, at 4:12 PM, Valery Smyslov <svanru@gmail.com> wrote:

> Hi,
> 
> in Buenos-Aires it was expressed a proposal to split the DDoS protection draft into two. One of them would
> describe possible kinds of (D)DoS attacks and would suggest some counter measures to thwart them without
> introducing anything new into the IKEv2 protocol.
> The other document (with Experimental status) would describe the puzzles and would define a new IKEv2 extension defending against (D)DoS attacks using puzzles.
> 
> The main motivation for such a proposal was a concern
> that puzzles mechanism would not be as effective as it was initially intended to be, and might even make things worse for "small" devices. 
> On the other hand, if we go this way and give the puzzles stuff an Experimantal status, then probably very few vendors (if any) will implement it and the real problem of defending against
> (D)DoS attacks will remain unaddressed.
> 
> So, what folks think about this proposal?
> 
> Regards,
> Valery & Yoav.

One more data point. My employer has implemented puzzles in older versions of our remote access client and gateway. It worked fine, but we don’t have any numbers on whether it actually stopped DoS attacks. We ended up abandoning it for IPR reasons, which is why this draft uses an entirely different kind of puzzle.

Regards,

Yoav

v2.23.0 | Report a Bug | By Email