Re: [IPsec] Cost-efficient quantum-resistant DoS protection
Valery Smyslov <smyslov.ietf@gmail.com> Fri, 12 November 2021 06:56 UTC
Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E67B3A12E2 for <ipsec@ietfa.amsl.com>; Thu, 11 Nov 2021 22:56:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AyC5RRLpJLmj for <ipsec@ietfa.amsl.com>; Thu, 11 Nov 2021 22:56:42 -0800 (PST)
Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com [IPv6:2a00:1450:4864:20::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D9C43A12DE for <ipsec@ietf.org>; Thu, 11 Nov 2021 22:56:42 -0800 (PST)
Received: by mail-lj1-x22a.google.com with SMTP id e9so16707210ljl.5 for <ipsec@ietf.org>; Thu, 11 Nov 2021 22:56:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:references:in-reply-to:subject:date:message-id:mime-version :content-transfer-encoding:content-language:thread-index; bh=kWOGsyTZwYxDrP+AvcOPm+71ZB0PInYGYfnwEZJxZxs=; b=HHb2C1NJCqXXkyER5rrQ48IE8GwakRY9RtZTerTD1pt905ptisG44PcIOyKH8pHt1h WjYK/ze8HQtsPtosIVjhOHdMToi9Q5r2/I8xcTvqMdcW7yzFZlsk1Sen/BmXz3+3oRxN jJi9sRffBEAARHfKBDg5d4kWTUv7Wc1ow97skKu2Spb7DqX329XKDnV7hUI6uIgsIMBw f0NA1Ern6oipRiDQ9i8qYA1OxLqxtJ6JICw2cgHqELBx0G0nk6gPvj1Z7rI6eVni4EIP 7Z5TAsMMt/q+0GRITo5DTxx6innk032geRLTLqJBqcIJkzZPnjgxow6xrENnc2QIl7hZ 1v9w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:content-language :thread-index; bh=kWOGsyTZwYxDrP+AvcOPm+71ZB0PInYGYfnwEZJxZxs=; b=si8VhaEBb00jrzowgjFaSApa9zyl/fpTb4sMG0iTI9zokvlaydEmk7ktliWIAejLF+ 9Yz9IdVEmn10eVztMH+KSeeXX+E9jVed5N7ZJbHgLzF9Tesao7CVvAi7ZXsu36D2QTWE Rk7gngPNjwZAroxD6YxeK2bhYXNXP1emTIS+Hz+0gDzfV/QUH8pu8J36uOIb7DiJiJVr yxvhaGLRtMcna1SYjyvGG71ZOSzT+ivO8r++433E9QANrfMNmxFHBeimXIqVNB/SfD9/ QWCYiOouEJN9XWw8aQ/ZcYiMCuAbRisSfnb6f2g++SSamWYTG7sz16yyBkA9WuEZxC1U Rp7A==
X-Gm-Message-State: AOAM530+8gB0RP+m46TsolGUqAU8A4H1DRPBpQou96GXX/Yr5Ia9eYLb yKSxozxPtD0OhoTsKFyqP8gBekXpoEM=
X-Google-Smtp-Source: ABdhPJyMRSBLcRdOaq2UIowszQWlFwn1yQVwg3sscMdOuJuxCseHteMB4tFn9y0dMa14JeMM0J4/Ng==
X-Received: by 2002:a05:651c:b0e:: with SMTP id b14mr13600924ljr.38.1636700198341; Thu, 11 Nov 2021 22:56:38 -0800 (PST)
Received: from buildpc ([93.188.44.204]) by smtp.gmail.com with ESMTPSA id y15sm491889ljy.10.2021.11.11.22.56.37 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 11 Nov 2021 22:56:37 -0800 (PST)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Michael Richardson' <mcr+ietf@sandelman.ca>, 'Yoav Nir' <ynir.ietf@gmail.com>, ipsec@ietf.org
References: <935923623769463b80caf7b64bfe430a@genua.de> <07a701d7c500$5c3fdcc0$14bf9640$@gmail.com> <994547d5af7a47b2b4819136af4b29fd@EX13D01ANC003.ant.amazon.com> <CANs=h-XU98=XVZ-1YNsp3_W1_Y3p5UgHnOgH-DPXgAQP7GuBmw@mail.gmail.com> <4d3d0181b23048bb9b57f1c97672c1ea@genua.de> <24956.19843.441109.862288@fireball.acr.fi> <27139.1635707097@localhost> <06fe01d7cf10$b966d6f0$2c3484d0$@gmail.com> <969A6112-B9E4-4D29-9077-094E56AEBD1D@gmail.com> <17699.1636555288@localhost>
In-Reply-To: <17699.1636555288@localhost>
Date: Fri, 12 Nov 2021 09:56:40 +0300
Message-ID: <11a401d7d792$7265a4e0$5730eea0$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Content-Language: ru
Thread-Index: AQLlmXEscoeqGnTi+siCjM6VrsV64gGhG0EwAmmdx6wCK2jCQAElDJVwAqR2/6YCW4EM6QIKi5UXAfMfMIcC8l7Il6lJkOJQ
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/YMDC7pUX-mzFdWTV2UF_nRzL1mQ>
Subject: Re: [IPsec] Cost-efficient quantum-resistant DoS protection
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Nov 2021 06:56:48 -0000
Hi Michael, > >> I've implemented puzzles, but I'm not aware of any other implementation. > >> > >> What about cookies - in stress tests they are used very intensively. > >> But I don't have any real life stats for them. > >> > >> Regards, > >> Valery. > > > I also implemented puzzles. So that makes two of us. > > Did you ever interop? We didn't try, but I think we can do it eventually. > What is your criteria for enabling them? Do you do this automatically, or is > it an operator configuation to demand them? I can only speak for my code. There is a configuration option, that controls the using puzzles. You have the following options: - turn them off - always use them in both IKE_SA_INIT and IKE_AUTH when cookie is requested (which happens if the number of half-open SAs exceeds some configurable threshold) - always use them, but only in IKE_SA_INIT, when cookie is requested - use them only when cookie is requested and some other conditions are met (e.g. you may set a higher threshold for puzzles, than for cookies) You can also set a difficulty of puzzles. It is statically configured. >From my experiments there is a really small interval of complexity when puzzles are useful (so that they do require noticeable efforts from initiators and still are solved within reasonable time, e.g. a few seconds). From my recollection it is between 16-18 bits of complexity. Regards, Valery. > -- > Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) > Sandelman Software Works Inc, Ottawa and Worldwide
- [IPsec] Cost-efficient quantum-resistant DoS prot… Daniel Herzinger
- [IPsec] Cost-efficient quantum-resistant DoS prot… Tero Kivinen
- Re: [IPsec] Cost-efficient quantum-resistant DoS … Valery Smyslov
- Re: [IPsec] Cost-efficient quantum-resistant DoS … Kampanakis, Panos
- Re: [IPsec] Cost-efficient quantum-resistant DoS … CJ Tjhai
- Re: [IPsec] Cost-efficient quantum-resistant DoS … Daniel Herzinger
- Re: [IPsec] Cost-efficient quantum-resistant DoS … Kampanakis, Panos
- Re: [IPsec] Cost-efficient quantum-resistant DoS … Scott Fluhrer (sfluhrer)
- Re: [IPsec] [UNVERIFIED SENDER] RE: Cost-efficien… Kampanakis, Panos
- Re: [IPsec] Cost-efficient quantum-resistant DoS … Valery Smyslov
- Re: [IPsec] Cost-efficient quantum-resistant DoS … Valery Smyslov
- Re: [IPsec] Cost-efficient quantum-resistant DoS … Tero Kivinen
- Re: [IPsec] Cost-efficient quantum-resistant DoS … Michael Richardson
- Re: [IPsec] Cost-efficient quantum-resistant DoS … Graham Bartlett
- Re: [IPsec] Cost-efficient quantum-resistant DoS … Valery Smyslov
- Re: [IPsec] Cost-efficient quantum-resistant DoS … stefan
- Re: [IPsec] Cost-efficient quantum-resistant DoS … Yoav Nir
- Re: [IPsec] Cost-efficient quantum-resistant DoS … Michael Richardson
- Re: [IPsec] Cost-efficient quantum-resistant DoS … Valery Smyslov
- Re: [IPsec] Cost-efficient quantum-resistant DoS … Yoav Nir
- Re: [IPsec] Cost-efficient quantum-resistant DoS … Michael Richardson