Re: [TLS] Alert type for connection limit or server busy?
Erik Nygren <erik+ietf@nygren.org> Wed, 02 April 2014 06:35 UTC
Return-Path: <nygren@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75B7E1A00D9 for <tls@ietfa.amsl.com>; Tue, 1 Apr 2014 23:35:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5UZRhD9ijX6Z for <tls@ietfa.amsl.com>; Tue, 1 Apr 2014 23:35:03 -0700 (PDT)
Received: from mail-vc0-x230.google.com (mail-vc0-x230.google.com [IPv6:2607:f8b0:400c:c03::230]) by ietfa.amsl.com (Postfix) with ESMTP id 675041A00DE for <tls@ietf.org>; Tue, 1 Apr 2014 23:35:03 -0700 (PDT)
Received: by mail-vc0-f176.google.com with SMTP id lc6so11319983vcb.35 for <tls@ietf.org>; Tue, 01 Apr 2014 23:34:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=N8nY40/R6jBNHZoJCszkueUCenprCPG/bBH/66hXizk=; b=nhefJ1QZ4yOgfFYz3xV4fL4MtHWueR2HTP76D7quQqQn7USW8kfVB14I1a/sQu6mmT 3UyCm56q4BjGh/uiLbhIXRsj1aeNzo0VmghFKykIcSm3gm5kZRdSqMzMCbOvYQL/7XFk q1zh7A5LEnI2IjGK+dqQdRwRZbXgjkicDNqXEPkRhzcMT9gzh5AIoUyF+uUffWgTxOX/ bmjHgzP65/emqBRX8McIzgTWsTVuLTFwObE3oVDZglk6N6dYlvg9uucMNsPy7VM2JWeZ onXVyJ7EA+k9UGnbOK4FWKnOnh2YBy5+P4VUS+cbqiPBqKDC49hamDHU/nlVSsrPG8x+ 3Pzw==
MIME-Version: 1.0
X-Received: by 10.52.163.145 with SMTP id yi17mr186974vdb.46.1396420499377; Tue, 01 Apr 2014 23:34:59 -0700 (PDT)
Sender: nygren@gmail.com
Received: by 10.221.18.70 with HTTP; Tue, 1 Apr 2014 23:34:59 -0700 (PDT)
In-Reply-To: <533BACDD.5050904@akr.io>
References: <EBC54843816A0E9AD64C880F@96B2F16665FF96BAE59E9B90> <CAKC-DJi2CHC5Jqu77qE7NxgF0P5QdhQvsRdfdzvhLeHbCnC0iA@mail.gmail.com> <533BAC14.90803@akr.io> <533BACDD.5050904@akr.io>
Date: Tue, 01 Apr 2014 23:34:59 -0700
X-Google-Sender-Auth: VgmLENnMZnMbaRGWCwMihIpkKGI
Message-ID: <CAKC-DJg74xTEuSnpuXdCjraAEgBRF+zfnJy3ajFDCZDNVHijpQ@mail.gmail.com>
From: Erik Nygren <erik+ietf@nygren.org>
To: Alyssa Rowan <akr@akr.io>
Content-Type: multipart/alternative; boundary="001a11c2bb5ad296b304f6097ba7"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/wwyDADBOTHkGFDGRpARvy5Ry5j4
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Alert type for connection limit or server busy?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Apr 2014 06:35:07 -0000
> Of course, the server would have to spend cycles generating and
> validating challenges. Not as many as the clients, but still, cycles.
Of course, but considerably less (orders of magnitude less?). Very similar
to the cycles used in syncookies.
> It'd have to remember full_value under overload conditions, though.
> Unless that's shared, that's memory (stored) or CPU (generated).
Not necessarily. If structured right, the server could construct
full_value from something
like { HMAC-SHA256(key, nonce || client_ipaddr) || nonce }
that could be reconstructed when the client returns. The server might then
went
to keep these around for a bit for *accepted* connections to avoid replay
attacks.
(Disclaimer: I'm not a cryptographer, so the example given was more
a sample type of proof-of-work rather than a particular proposed
implementation.)
Erik
On Tue, Apr 1, 2014 at 11:23 PM, Alyssa Rowan <akr@akr.io> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On 02/04/2014 07:20, Alyssa Rowan wrote:
>
> > Otherwise known as "hashcash".
>
> [Ugh, shouldn't post before breakfast, mistake. It's not hashcash,
> although it is kinda like it. Reverse hashcash, maybe.]
>
> It'd have to remember full_value under overload conditions, though.
> Unless that's shared, that's memory (stored) or CPU (generated).
>
> - --
> /akr
> -----BEGIN PGP SIGNATURE-----
>
> iQIcBAEBCgAGBQJTO6zdAAoJEOyEjtkWi2t6UiYP+wawQNs3Y1jWl/IPCngGKISe
> TjW4zbSI8zOjbk6gCrkI3tMnUHIchWMR972EaFNqDBGT9LIMir4ak1vpD/m+g7pG
> 1F4KgVH+b7iJ/Z/ZfISNNjXx6MoqDmWjLVoxbiHghjTEkf0ElinNNsOu7QE9znzd
> mRpfQofHf2V6xSZt4PmE/oLUtXjiEda2WG3AW8OhOLdjw+Ihgs4fN9SxsLjYq4/7
> vznGO8qXQYAfh95XZQ1VsT9lf2mMASW/lH10czb4djXYrp7wNKQ2aG16PmSozZdr
> qnCYb4IZ3YciG16mQ5sBiPf0wtEu9tpc/BeYpGVFkm2c/chjS7jzoP4gjehyWihm
> eB8e/dO7HwIk+iaF1M+0VA4KkmcEqKHTFMsqyD0d0RR5J5ejbAn3T8Kae3OyNpUA
> 9t/4SdI/Wrt9o5r1hCS1p8LjeksmENJMjQE6Z21lPX5RkGJ2+F1Zk5ieNMjcFEOA
> UYXK5DWcs+Wofw3+dcR++zQyDgYSr3L8UgUZltOQIrESmrGq4bSeRXuPa2lwyOus
> /n3aSeuBqOAqbKfVFkCC6l86BJH2/GybEIsP70RHZgcWXdCpIWhitxD/jM8w2LUr
> biMVUzbGviDyo1S3JSCu82tQBqqzixD7UmCCRSKtmtwJjCtp39igKMtdKHIy6URo
> u4FgGxztq8HWjV30W323
> =31sI
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
- [TLS] Alert type for connection limit or server b… Chris Newman
- Re: [TLS] Alert type for connection limit or serv… Erik Nygren
- Re: [TLS] Alert type for connection limit or serv… Alyssa Rowan
- Re: [TLS] Alert type for connection limit or serv… Alyssa Rowan
- Re: [TLS] Alert type for connection limit or serv… Erik Nygren
- Re: [TLS] Alert type for connection limit or serv… Yoav Nir