Re: [IPsec] DDoS puzzle: PRF vs Hash

Paul Hoffman <paul.hoffman@vpnc.org> Mon, 09 February 2015 00:44 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E63D41A6F02 for <ipsec@ietfa.amsl.com>; Sun, 8 Feb 2015 16:44:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.347
X-Spam-Level:
X-Spam-Status: No, score=-1.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rIDJQuSx1Gnl for <ipsec@ietfa.amsl.com>; Sun, 8 Feb 2015 16:44:10 -0800 (PST)
Received: from proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C68391A1B7F for <ipsec@ietf.org>; Sun, 8 Feb 2015 16:44:10 -0800 (PST)
Received: from [10.20.30.90] (142-254-17-146.dsl.dynamic.fusionbroadband.com [142.254.17.146]) (authenticated bits=0) by proper.com (8.15.1/8.14.9) with ESMTPSA id t190i7p3070040 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 8 Feb 2015 17:44:08 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: proper.com: Host 142-254-17-146.dsl.dynamic.fusionbroadband.com [142.254.17.146] claimed to be [10.20.30.90]
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <54D7EF6B.1020706@gmail.com>
Date: Sun, 08 Feb 2015 16:44:07 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <E59443F0-15D8-486B-B951-9CF7294F0495@vpnc.org>
References: <E3BB1487-8C5F-461B-9E9D-02F856131FDF@gmail.com> <54CAACAF.60806@gmail.com> <44373351-D8EB-454F-8BCC-8CD5CD0C32E2@gmail.com> <1DFDD936EE8A4C08BBCD6621F93D1D8F@buildpc> <A4A75C75-0224-4108-90E4-8DB18289918B@gmail.com> <54CB8932.8010406@gmail.com> <C421438B-46B0-47B3-93C3-0868A2C1774F@gmail.com> <54C75880-8F6C-40AA-9F30-754D16BAD46D@gmail.com> <22BD2882-D15D-4280-AE2B-07C060FC1DE5@gmail.com> <54CE6429.2020800@gmail.com> <A113ACFD9DF8B04F96395BDEACB340420BEAB24A@xmb-rcd-x04.cisco.com> <E8B45F2D-7646-4203-9B71-A7148EA5E2E1@gmail.com> <99696496A6304DE588B99DD6B5E75B1C@buildpc> <0B9A7EB1-2B48-4778-AE82-3B1FBC2103D8@gmail.com> <426C21C2944648EA9D0EEA0B07BBADD6@buildpc> <54D7D332.5040604@gmail.com> <1F395EC4-81EE-4252-865F-AEC940BAF145@vpnc.org> <54D7EF6B.1020706@gmail.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/rx2zExb4_juIE6Q37Dp4BY0fDbI>
Cc: IPsecME WG <ipsec@ietf.org>
Subject: Re: [IPsec] DDoS puzzle: PRF vs Hash
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Feb 2015 00:44:12 -0000

On Feb 8, 2015, at 3:21 PM, Yaron Sheffer <yaronf.ietf@gmail.com> wrote:
> Yes, of course. It just needs to verify the integrity (MAC) of the received ticket (as easy or easier than our proposed puzzle verification), and then the rest of the exchange is lighter-weight than a typical IKE exchange. See http://tools.ietf.org/html/rfc5723#section-4.3.2.

I knew the latter part, but I was more concerned about the former. As long as the verification is no harder than the proposed puzzles, then yes, resumption seems like a good addition. I wanted to be sure that it wasn't harder.

--Paul Hoffman