IETF Logo Mail Archive

Re: [IPsec] Review of draft-ietf-ipsecme-ddos-protection-06

"Valery Smyslov" <svanru@gmail.com> Tue, 28 June 2016 05:38 UTC

Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F35612D9E3 for <ipsec@ietfa.amsl.com>; Mon, 27 Jun 2016 22:38:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.031
X-Spam-Level:
X-Spam-Status: No, score=-0.031 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_WEB=0.77, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hAh_8Pu_BCel for <ipsec@ietfa.amsl.com>; Mon, 27 Jun 2016 22:38:09 -0700 (PDT)
Received: from mail-lf0-x231.google.com (mail-lf0-x231.google.com [IPv6:2a00:1450:4010:c07::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 492EA12D9D9 for <ipsec@ietf.org>; Mon, 27 Jun 2016 22:38:09 -0700 (PDT)
Received: by mail-lf0-x231.google.com with SMTP id f6so3645059lfg.0 for <ipsec@ietf.org>; Mon, 27 Jun 2016 22:38:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:from:to:cc:references:subject:date:mime-version :content-transfer-encoding; bh=QjgpFgDuC//GnAjf4X8NXeLt0io9r2qxdkemY0Y5ReE=; b=KSZfdI9ZVXFiBtLdVLL+KGiUGTYoUeRzcBTmcWlSW1RqMzTE8uh0weyh+ZWaUJwdUA WL3oIviEwNMSaX+2ZWUxdR1h1f2xNsfFR4QVDZAdSMD7HXoN2XQpno95WnINmk9FECX8 w9BFrGQ/9p+nLJtoMPkJ2mkpOPS4tkJ36gdFRy+nt73bmXuAfgwXuPkzkdS7isB5EKw9 KXwV8pUnLpzqE/7BARv2A7SNc1N6bOo6duDJVR06XrjBPtqx3cQAxO5n9Mc52VZuoUMt tLVmM/oFB2W0UkriCJGIlpFw/XVbR4PsGB2Lw4B0Hy4898dfgZur5Lw4JKvnYKuXeh1m uUtg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:from:to:cc:references:subject:date :mime-version:content-transfer-encoding; bh=QjgpFgDuC//GnAjf4X8NXeLt0io9r2qxdkemY0Y5ReE=; b=OvZGeSSCgUUCizEaFsWJCrok304/ni0oCPXyAgzD+jiV9COwutkkgcbD4k8trE3WrE DJa9VeLbZ8D/cDsh61sjgScBMF3ABqE9PlL5NKFxiuz+pVcCUaYVJkXAQKeIf2P3qbCx ygwSDU3UwPW0mWdPGBL+fCTWizvx0xPvtF7v8f6TwH2NcalsY864cqHZOZwEbzM+j6AW x6XMWZ5uyJfVYlqdfipM9JeM5GtHP47dtrUr1VXQC62x1nQ03E0qnFdRgnfdSevZ1R0Q y8ULNL149AvKnFSd0fFgxuVX+WtMzKS/5zOqLgXYuhZzivM5gpeVCP+Gznas3MU99+eD qiwA==
X-Gm-Message-State: ALyK8tJcAwYQRBNP22q6QJiL4OhIhY5ZpXEhDKDT0Ov6ccMkWSOWDbxjIYS9gvJC7KNdqA==
X-Received: by 10.25.145.211 with SMTP id t202mr375828lfd.230.1467092287421; Mon, 27 Jun 2016 22:38:07 -0700 (PDT)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id g193sm1641470lfb.14.2016.06.27.22.38.06 (version=TLS1 cipher=DES-CBC3-SHA bits=112/168); Mon, 27 Jun 2016 22:38:06 -0700 (PDT)
Message-ID: <CE2060023EDE4BDD838CBC70763875B4@buildpc>
From: Valery Smyslov <svanru@gmail.com>
To: Paul Wouters <paul@nohats.ca>
References: <alpine.LRH.2.20.1605311635540.16809@bofh.nohats.ca> <4200F5373D5542C985F3D4C51609213C@buildpc> <alpine.LRH.2.20.1606022148040.23132@bofh.nohats.ca> <E61D75BBDD0F4A159352B3258BBAA7DE@buildpc> <alpine.LRH.2.20.1606031155230.11420@bofh.nohats.ca> <A6682BC2468947F1A1669A9B9D558BF5@buildpc> <alpine.LRH.2.20.1606222214230.27151@bofh.nohats.ca>
Date: Tue, 28 Jun 2016 08:37:58 +0300
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="response"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/hlHMDsyauWCaJBxWrHSmo2RmaJ4>
Cc: ipsec@ietf.org, Yoav Nir <ynir.ietf@gmail.com>
Subject: Re: [IPsec] Review of draft-ietf-ipsecme-ddos-protection-06
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jun 2016 05:38:11 -0000

HI Paul,

>> I'd rather change it a bit:
>>
>>    When the Responder is under attack, it SHOULD prefer previously
>>    authenticated peers who present a Session Resumption ticket [RFC5723].
>>    However, the Responder SHOULD NOT swich to resumed clients
>>    completely (and thus refuse every IKE_SA_INIT request),
>>    so that legitimate initiators without resumption tickets still have
>>    chances to connect.
> 
> Ok, minor change:
> 
>     When the Responder is under attack, it SHOULD prefer previously
>     authenticated peers who present a Session Resumption ticket [RFC5723].
>     However, the Responder SHOULD NOT serve resumed Initiators exclusively
>     because dropping all IKE_SA_INIT requests would lock out legitimate
>     Initiators that have no resumption ticket.

Works for me.

Regards,
Valery.

v2.23.0 | Report a Bug | By Email