Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-protection-04
Yoav Nir <ynir.ietf@gmail.com> Sun, 06 March 2016 17:16 UTC
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 994AA1B2F4C for <ipsec@ietfa.amsl.com>; Sun, 6 Mar 2016 09:16:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X_Cuf_8xVp7E for <ipsec@ietfa.amsl.com>; Sun, 6 Mar 2016 09:16:51 -0800 (PST)
Received: from mail-wm0-x230.google.com (mail-wm0-x230.google.com [IPv6:2a00:1450:400c:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DAEDB1B2F4A for <ipsec@ietf.org>; Sun, 6 Mar 2016 09:16:50 -0800 (PST)
Received: by mail-wm0-x230.google.com with SMTP id p65so80483184wmp.1 for <ipsec@ietf.org>; Sun, 06 Mar 2016 09:16:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=44T8Ytc9lvhtXUpYSzGbyulzgvB82zAx9zG1psI5OfU=; b=uQy/nXNVPwQDniOiFyd1zVIRP52dey6xPS7dvGyJ81/Z3sANXh/ccib1aLtZ/l4JYz rZbTKyY+iAFyr0SwpqgDeyXaiNKkdNAzlGA4v3WOfqI1WkWl3hsMVoJEmTxe0EvzSe+z kcC2ruG/dtLWF5nV1y/tDO1rwB+sR3VEIYFUhkKOpgE5ZSRsIyaEATkCmm4HB9eaScci XnofVH4Wt312uFZznzW1FlPnzu7jSOQwTVbIgMT+nQt2/mpk/wdctkJCWC+otdCjy+bY 1NwpNk2jF81OZSHGr/86lQjsa+Ur83yITTPuoK35MCiTJm+hj0nLROcBGSrQVixQVMXe bRUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=44T8Ytc9lvhtXUpYSzGbyulzgvB82zAx9zG1psI5OfU=; b=ZPT65G3f4i9+ZKwD3oUmBZF87bEMpaGVNUP3AzWY98Ic5yxz8lp3pSPJDPCdRo3h/2 DgrfYlQ3KVFmX25QllbJFyoAzC0ZB0tgor/803IsezOl/+5nqUP09sCuqOPOTtzwSedB z6eV5hiKwsGWyC/42UVhPUbsm3sqccXLLFH+LfWltJQSeBgMBg98Pg3YUYi9smGzJLW4 jtMRM79OiJEcFl6OXmLBZ1WsUoy3eLEx0HDqAKsXe3TCbsWOjC8zM2svgD4C54kNCgbh GyIKAa9pkQMCizX7F7EiLR91CKg2OgT9vyyG9neY2gC/0i2L+qyJ1WAd+g52qgvCyZMd UrKA==
X-Gm-Message-State: AD7BkJJdbGRxRD7t3GyWYfA1Jg0sk6/FUpb/4nx9pq5iBufyaMy3H+A8VOU55QrrVcGYcA==
X-Received: by 10.194.62.179 with SMTP id z19mr19736373wjr.96.1457284609352; Sun, 06 Mar 2016 09:16:49 -0800 (PST)
Received: from yoavs-mbp-2.mshome.net ([109.253.216.171]) by smtp.gmail.com with ESMTPSA id gg7sm13829574wjd.10.2016.03.06.09.16.47 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 06 Mar 2016 09:16:48 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <alpine.LFD.2.20.1603041020030.29534@bofh.nohats.ca>
Date: Sun, 06 Mar 2016 19:16:45 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <FD36AD9C-E570-408B-85B2-006EB4673DCC@gmail.com>
References: <BY1PR09MB03587C3829A33D76ECE8EF1BF0BB0@BY1PR09MB0358.namprd09.prod.outlook.com> <CADnPsE-RfHiRdof82CPokYXXVaEa74ssXw2XQ5v7hYpdFYQ7=Q@mail.gmail.com> <alpine.LFD.2.20.1603041020030.29534@bofh.nohats.ca>
To: Paul Wouters <paul@nohats.ca>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/p76jDyW49XX7UQjRsF4pYmP_VxQ>
Cc: "ipsec@ietf.org WG" <ipsec@ietf.org>, "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>, Tommy Pauly <tpauly@apple.com>
Subject: Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-protection-04
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Mar 2016 17:16:52 -0000
> On 4 Mar 2016, at 5:29 PM, Paul Wouters <paul@nohats.ca> wrote: > >> On Tue, Mar 1, 2016 at 9:03 PM, Waltermire, David A. (Fed) <david.waltermire@nist.gov> wrote: >> All: >> >> With the draft-ietf-ipsecme-ddos-protection-04 freshly minted, I believe the draft is shaping up nicely, >> but needs additional review. To that end, this message starts a Working Group Last Call (WGLC) for >> draft-ietf-ipsecme-ddos-protection-04. >> >> The version to be reviewed is https://tools.ietf.org/id/draft-ietf-ipsecme-ddos-protection-04.txt. >> >> Please send your comments, questions, and edit proposals to the WG mail list until March 18, 2015. If you >> believe that the document is ready to be submitted to the IESG for consideration as a Standards Track RFC >> please send a short message stating this. > > I think the document is well written with respect to DDOS. I like > everything except the puzzles. It seems a lot of complexity for > no gain, especially with the problem being that botnets are better > at puzzle solving then mobile phones who want to not drain their > batteries. I wish we had better numbers on the actual power of mobile phones. It’s all a question of how many times they can perform PRF-HMAC-SHA256 per second. Tommy? Regardless, FWIW I (with implementer hat on) would implement DDoS puzzles. As the draft suggests, they would be used selectively and only as a last resort. I also think that if we had IPsec everywhere as Paul would like, DDoS attacks on IKE responders (which is basically all of the Internet) would become much more attractive. As it is, with IPsec-based remote access the VPN gateway is an attractive target, so we should have more aggressive methods in our arsenal. Yoav
- [IPsec] WGLC on draft-ietf-ipsecme-ddos-protectio… Waltermire, David A. (Fed)
- Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-prote… Dr. Karan Verma
- Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-prote… Paul Wouters
- Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-prote… Paul Wouters
- Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-prote… Tommy Pauly
- Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-prote… Yoav Nir
- Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-prote… Tommy Pauly
- Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-prote… Valery Smyslov
- Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-prote… Valery Smyslov
- Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-prote… Paul Wouters
- Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-prote… Valery Smyslov
- Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-prote… Tommy Pauly
- Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-prote… Tommy Pauly
- Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-prote… Graham Bartlett (grbartle)
- Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-prote… Yoav Nir
- Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-prote… Yoav Nir
- Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-prote… Waltermire, David A. (Fed)
- Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-prote… Tero Kivinen
- Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-prote… Tero Kivinen
- Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-prote… Graham Bartlett (grbartle)
- Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-prote… Valery Smyslov
- Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-prote… Graham Bartlett (grbartle)
- Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-prote… Graham Bartlett (grbartle)
- Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-prote… Valery Smyslov
- Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-prote… Tero Kivinen
- Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-prote… Dr. Karan Verma
- Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-prote… Graham Bartlett (grbartle)
- Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-prote… Paul Wouters
- Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-prote… Yoav Nir
- Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-prote… Paul Wouters
- Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-prote… Michael Richardson
- Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-prote… Waltermire, David A. (Fed)
- [IPsec] IKEv1 retransmits - was Re: WGLC on draft… Paul Wouters
- Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-prote… Paul Wouters
- Re: [IPsec] IKEv1 retransmits - was Re: WGLC on d… Valery Smyslov
- Re: [IPsec] IKEv1 retransmits - was Re: WGLC on d… Paul Wouters
- Re: [IPsec] IKEv1 retransmits - was Re: WGLC on d… Valery Smyslov
- Re: [IPsec] IKEv1 retransmits - was Re: WGLC on d… Paul Wouters
- Re: [IPsec] IKEv1 retransmits - was Re: WGLC on d… Valery Smyslov
- Re: [IPsec] IKEv1 retransmits - was Re: WGLC on d… Paul Wouters
- Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-prote… Tero Kivinen
- Re: [IPsec] IKEv1 retransmits - was Re: WGLC on d… Valery Smyslov
- Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-prote… Graham Bartlett (grbartle)
- Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-prote… Valery Smyslov
- Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-prote… Paul Wouters
- Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-prote… Graham Bartlett (grbartle)
- Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-prote… Paul Wouters
- Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-prote… Graham Bartlett (grbartle)
- Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-prote… Valery Smyslov
- Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-prote… Tero Kivinen
- Re: [IPsec] WGLC on draft-ietf-ipsecme-ddos-prote… Graham Bartlett (grbartle)