Re: [IPsec] Status of draft-ietf-ipsecme-ddos-protection
"Waltermire, David A. (Fed)" <david.waltermire@nist.gov> Tue, 31 May 2016 16:25 UTC
Return-Path: <david.waltermire@nist.gov>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E64F12D61E for <ipsec@ietfa.amsl.com>; Tue, 31 May 2016 09:25:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id srHj9O0Pbb2I for <ipsec@ietfa.amsl.com>; Tue, 31 May 2016 09:25:15 -0700 (PDT)
Received: from gcc01-dm2-obe.outbound.protection.outlook.com (mail-dm2gcc01on0097.outbound.protection.outlook.com [23.103.201.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C22CC12B053 for <ipsec@ietf.org>; Tue, 31 May 2016 09:25:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=dCfVu/V8XvQlBNJkMgM+xJd3Ab+3E4sR2qaLrOD5Qjo=; b=Styb7rzkz2OFcVkAhwHdTspYbgHjnDJujBki3R+XY0WAQ1cy0n3K+NxZlYd//TWKqtPWWzzHVUtebd7YvdnjRdLHnxy1wL5dKRDR4hhS3i2elOK/LeqCZXea1guOZiaw9oHfGM4Y6Qw1tBOjFUrGpLHf1eCN7+mXU27re+c0QjE=
Received: from DM2PR09MB0365.namprd09.prod.outlook.com (10.160.247.18) by DM2PR09MB0366.namprd09.prod.outlook.com (10.160.247.20) with Microsoft SMTP Server (TLS) id 15.1.506.9; Tue, 31 May 2016 16:25:14 +0000
Received: from DM2PR09MB0365.namprd09.prod.outlook.com ([10.160.247.18]) by DM2PR09MB0365.namprd09.prod.outlook.com ([10.160.247.18]) with mapi id 15.01.0506.011; Tue, 31 May 2016 16:25:14 +0000
From: "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>
To: Valery Smyslov <svanru@gmail.com>, Yoav Nir <ynir.ietf@gmail.com>
Thread-Topic: [IPsec] Status of draft-ietf-ipsecme-ddos-protection
Thread-Index: AQHRt1BIyy9sw/ZlnEW3eEL+ii3MLp/RvvOAgADFfk+AAAu7gIAABfblgACqtnA=
Date: Tue, 31 May 2016 16:25:13 +0000
Message-ID: <DM2PR09MB036547D5BC4DA85825E09EE0F0460@DM2PR09MB0365.namprd09.prod.outlook.com>
References: <860C938B60E24C76A1749A1563D53A55@buildpc> <alpine.LRH.2.20.1605301312210.8086@bofh.nohats.ca> <C2083AF9EC484C129737FE456527D2F4@buildpc> <6ECFA010-549C-45DF-9D88-3D916D706A0D@gmail.com> <CDE9E49B6A0C46C6BCA85D1450779D88@buildpc>
In-Reply-To: <CDE9E49B6A0C46C6BCA85D1450779D88@buildpc>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=nist.gov;
x-originating-ip: [129.6.224.58]
x-ms-office365-filtering-correlation-id: 5525028f-862b-4c72-24a6-08d389702528
x-microsoft-exchange-diagnostics: 1; DM2PR09MB0366; 5:YTle4Mjr62HWitd4NGoPVuM95T+db2mw1bamxPMlvQEXsw13qSDq+1yFod/e/S4O6/eT/3KKZgG90i5BzGyhNNw8jShL7aoIPBaV+V0UT1I9D7+vlcYFU/GH+cV8gzO4CINU7FHRQaIDKdtO0xUTJg==; 24:Po1YtBa2J3tpVEMbX3kCF4ZVptwfhI0UCDmSvZvS1zDfvydyFeimYNblohcohKs8AsN/A/Q2w8Vj/AWOoahIyAtiTae5eY7x91T3kXnYcJ8=; 7:QGsrJNLriMkIbvKT4MEBk36Cy/RkydTk0Vk05t7aBifZeq1w2TPizrAZFNQA16af/r7YYqP4Ga3G11jDI5Xg2Aw8dpZEo1J7mG6dgpaaiiI5BShT+XcnmNUhc3mpSK7RcptrNNBureDpkKgEGSCds3iEeULHS7kx9yuwIpEi9orrZKz3nu1+Y2ipoc08Eu7M
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DM2PR09MB0366;
x-ld-processed: 2ab5d82f-d8fa-4797-a93e-054655c61dec,ExtAddr
x-microsoft-antispam-prvs: <DM2PR09MB0366407C503B7D201556DBD2F0460@DM2PR09MB0366.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026); SRVR:DM2PR09MB0366; BCL:0; PCL:0; RULEID:; SRVR:DM2PR09MB0366;
x-forefront-prvs: 095972DF2F
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(377454003)(13464003)(77096005)(15975445007)(81166006)(66066001)(3660700001)(50986999)(3280700002)(76176999)(99286002)(2950100001)(8676002)(106116001)(8936002)(10400500002)(54356999)(2900100001)(19580395003)(19580405001)(5004730100002)(92566002)(33656002)(122556002)(9686002)(6116002)(586003)(102836003)(87936001)(3846002)(74316001)(189998001)(2906002)(5002640100001)(86362001)(11100500001)(5001770100001)(230783001)(76576001)(5003600100002)(93886004)(4326007)(5008740100001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR09MB0366; H:DM2PR09MB0365.namprd09.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 May 2016 16:25:13.7570 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR09MB0366
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/ksRs11wASRqe9FWiif7jLMqQJwo>
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, "paul@nohats.ca" <paul@nohats.ca>
Subject: Re: [IPsec] Status of draft-ietf-ipsecme-ddos-protection
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 May 2016 16:25:20 -0000
From what I am reading, there isn't an interest in splitting puzzles out as experimental. If you feel strongly that puzzles should be split out into a separate experimental draft, please speak up. If we don't hear anything by Monday, June 6, we will begin making preparations to send the draft as-is to the IESG. Since we are wrapping up the WGLC, please also consider this a final call for comments on the draft before we send it off. Thanks, Dave > -----Original Message----- > From: IPsec [mailto:ipsec-bounces@ietf.org] On Behalf Of Valery Smyslov > Sent: Tuesday, May 31, 2016 2:05 AM > To: Yoav Nir <ynir.ietf@gmail.com> > Cc: ipsec@ietf.org; paul@nohats.ca > Subject: Re: [IPsec] Status of draft-ietf-ipsecme-ddos-protection > > >> The concern is not about stand-alone puzzles document. It is about an > >> Experimental status of that document versus Standards Track in the > current draft. Vendors tend to ignore Experimental RFCs. > > > > The conventional wisdom is that vendors tend to ignore whatever status > > the IETF assigns to documents and implement whatever meets their goals. > > That's true in general. However Experimaental status makes vendors more > suspicious that they will spend resources implementing the protocol and gain > little, because most other vendors will refrane from implementing it. For > puzzles to work they must become ubiquitous. > > > My preference is to keep it all in one document, and clearly state > > that the puzzle part of the document is OPTIONAL, meaning that you can > comply with the RFC even without implementing it. > > That's my preference too. In fact, the current draft doesn't mandate to > implement (or even to use) puzzles, so they are already optional. > > > There is a concern about an Initiator that does not implement puzzles > connecting to a Responder that does. > > Things will work fine until there is a DoS attack and then we’re > > helping the attacker by denying service to the non-implementing > > Initiator. And that could happen between an Initiator and Responder, > > both of whom can claim compliance with the document. This isn’t great, > but separating them into two documents does not make the problem go > away. > > That's true. > > > Yoav > > Regards, > Valery. > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] Status of draft-ietf-ipsecme-ddos-protect… Valery Smyslov
- Re: [IPsec] Status of draft-ietf-ipsecme-ddos-pro… Yoav Nir
- Re: [IPsec] Status of draft-ietf-ipsecme-ddos-pro… Paul Wouters
- Re: [IPsec] Status of draft-ietf-ipsecme-ddos-pro… Valery Smyslov
- Re: [IPsec] Status of draft-ietf-ipsecme-ddos-pro… Yoav Nir
- Re: [IPsec] Status of draft-ietf-ipsecme-ddos-pro… Valery Smyslov
- Re: [IPsec] Status of draft-ietf-ipsecme-ddos-pro… Waltermire, David A. (Fed)
- Re: [IPsec] Status of draft-ietf-ipsecme-ddos-pro… Paul Wouters