Re: [TLS] TLS client puzzles

Hannes Tschofenig <hannes.tschofenig@gmx.net> Wed, 06 July 2016 20:23 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 956C412D662 for <tls@ietfa.amsl.com>; Wed, 6 Jul 2016 13:23:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.026
X-Spam-Level:
X-Spam-Status: No, score=-4.026 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7MJGV9ccWg27 for <tls@ietfa.amsl.com>; Wed, 6 Jul 2016 13:23:29 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92C4512D62D for <tls@ietf.org>; Wed, 6 Jul 2016 13:23:28 -0700 (PDT)
Received: from [192.168.10.131] ([80.92.121.176]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0MCLQ1-1bBmfM05T7-009CaJ; Wed, 06 Jul 2016 22:23:25 +0200
To: Kyle Rose <krose@krose.org>
References: <CALW8-7Kv01Dw3YBiW20SBEScWqkup53xpCjy8834PpLDkgb4cg@mail.gmail.com> <CAFewVt4uUA-3X3M-ZmREo81p+MZp+72g9CX1d1Z7bK8G8AL9Vg@mail.gmail.com> <577D655A.40802@gmx.net> <CAJU8_nV=oq+Vcp7rHnuzGt9fY+G-cvEqvA7nYagh19ALd2M1ZQ@mail.gmail.com>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <577D68BB.5070605@gmx.net>
Date: Wed, 06 Jul 2016 22:23:23 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0
MIME-Version: 1.0
In-Reply-To: <CAJU8_nV=oq+Vcp7rHnuzGt9fY+G-cvEqvA7nYagh19ALd2M1ZQ@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="0wFI3nHHDKuSjuqIQN16CVGfXP6dvRt3P"
X-Provags-ID: V03:K0:soMO03gAI5fuI/j/xZMKZBEhk5DtIoDt+BU1sV8HDuOY2G8NL3w NFVjbj9PcqpzbwMO3+kZKSwzHnS/pfzDeKYVQyi4Q13etgz65kubVsFu/VRvP2qXgF0xs/8 gXJebXxE712TWVgL7VpColElkLuypHOrTu0SOJNBFz63bUHVpm8mZXPAeDtPX97nrA1WJMp KPbWdg8sHFmR7oBs3X5Rg==
X-UI-Out-Filterresults: notjunk:1;V01:K0:azgm2GSmfM8=:njtsAxdq1X9W4ez4tdtQi1 qCSywXQ+bqXLBTXL185+03fZWQTlMdf+NxAVH+PNKjHhWql+VEOsywfsBAi8srFr4/EXZ46Gv MGlKS99N4On1Y99oenl26LZkPNzHfNENK2L0+fxSBnGK74SYNbNpaVrsDj+5dwOOOY7HJVhE2 781ezpFx8dj/T/MY7rSQXA40mSs6gK7azkHh5lubx+0khU2Tyx+w9Sjl6qSuuO9FtxQqZE/Pz xrAEnQXMVJSYjjZID/SkMRfLKphVcccLxnOeorkPpzn11qbDL8pxwSVhICf79FyCw0urCs3d9 7a9gu5Kgx3UmaJImfBw6nP4aCodTd0QUFCRftUz/ZIvSqBxFSxy6xRWJIhpRSjOLAibLx64/f 03PtcpKSoLjmJws1MbvUvAkjBaNB9ay+v8b+6592gzeSadIQ3Den+NzUQx3TF3iHehUY9K8L5 Q0h9YpUujHmnBb0UW8dvC7nE6UOSXs99/ENn5s1A/XRbIKvG3j+pMRcBENB3JmiqsF5oylbyw 9zjjhEtvdfvfeAhnR7UUZSxwdpC0HXaGbh93iurKqYUum9L1d+cz5+aI3E/avdslZDXSbywaF 9MRsug64rVFp9+qQ9bY06GYW9GPSFEgTROQPp3r7cXN8XN9JHA6UvrR5DyjJouoEtY2EUuvcV lKPoqOnuHnVfEp7TJPDCQwpfQtiuukCRMPl54jBzmGyb9BtAnWrfkxNFaHksKTYOzfJGM9Tcm 7EhVBCtRu1V/ASzubJ8/wKwsqhCIl7y+oNUbphYIiSuvNHW7dzoR5KYyMuk=
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/7ZE2Zh1yxb2fQE008MD_Ys5UnJ0>
Cc: "<tls@ietf.org>" <tls@ietf.org>, Dmitry Khovratovich <khovratovich@gmail.com>
Subject: Re: [TLS] TLS client puzzles
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Jul 2016 20:23:31 -0000

Kyle,

the question for me is whether it will be an effective mechanism when
many devices just do not support it (for a number of reasons)? For IoT
devices the reason is simple: they don't have MBs of memory.

Even the regular puzzle technique has the problem that you have to
adjust the puzzle difficulty and what is a piece of cake for a desktop
computer kills the battery of an IoT device.

(And note that I am not saying that IoT devices aren't used for DDoS
attacks.)

On 07/06/2016 10:16 PM, Kyle Rose wrote:
> On Wed, Jul 6, 2016 at 4:08 PM, Hannes Tschofenig
> <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote:
> 
>     I agree with Brian here on this issue. This is clearly impractical for
>     IoT devices. For many of those devices we are talking about 32 KB (in
>     total). 
> 
>  
> I continue to feel like this is a valid objection to the wrong
> proposition. I don't think the question is, "Should TLS client puzzles
> be issued by all TLS servers under load?" but rather, "Would client
> puzzles be a useful addition to the DDoS toolbox, and appropriate in
> some cases?"
> 
> Kyle
>