[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: resistance to swamping attacks.

To: touch@isi.edu
Subject: Re: resistance to swamping attacks.
From: Germano Caronni <caronni@tik.ee.ethz.ch>
Date: Fri, 27 Sep 1996 11:13:48 +0200 (MET DST)
Cc: ipsec@TIS.COM
In-Reply-To: <199609261758.AA25657@ash.isi.edu> from "touch@ISI.EDU" at Sep 26, 96 10:58:03 am
Sender: ipsec-approval@neptune.tis.com

touch@ISI.EDU wrote:
> 	a) All resources are FIRST allocated to existing
> 	   connections.
> 
> 	b) Remaining resources are allocated 'fairly' on
> 	   a per-connection-attempt basis.
> 
> 	c) Connections not fully established have a finite
> 	   resource limit, BOTH individually and as an 
> 	   aggregate class.
> 
> I think these are necessary and sufficient.

Right. I fully agree. Now it would be interesting, how you can modfiy the
protocol used for connection attempts to make life for swamping attacks
*much* harder. The cookie approach certainly does this. The idea [expense
for the sender, cheap verification for the receiver] is interesting, but
fails if precomputing can happen on the sending side. Others?

Germano

References:

Re: resistance to swamping attacks.

From: touch@isi.edu

Prev by Date: Comments on ESP and AH IPSEC drafts.
Next by Date: resistance to swamping attacks.
Prev by thread: Re: resistance to swamping attacks.
Next by thread: resistance to swamping attacks.
Index(es):
- Main
- Thread