Re: Some comments on JFK

[Eric Rescorla <ekr@rtfm.com>]

"Hallam-Baker, Phillip" <pbaker@verisign.com> writes:

> [1  <text/plain; iso-8859-1 (7bit)>]
> > Yes, but purpose of forcing the initiator to spend cycles before the
> > responder is for DoS prevention, not rate throttling of legitimate
> > initiators, no?
> 
> Carefull, you don't 'force' the initiator to spend cycles before the
> responder. What you actually do is to force the initiator to prove that
> it can recieve packets sent to the purported initiator address before 
> the responder spends cycles.
> 
> The initiator can send any old junk to the respinder and the responder
> will not know until the cycles are spent.
This was exactly my point. 

The draft says:

   The Initiator bears the initial computational burden
   and must establish round-trip communication with the Responder
   before the latter is required to perform expensive operations.

This text suggests that the fact that the initiator performs
the DH operation first protects against DoS. As far as I can
tell it does not.

-Ekr

-- 
[Eric Rescorla                                   ekr@rtfm.com]
                http://www.rtfm.com/

---

Follow-Ups:

• Re: Some comments on JFK
• From: "Angelos D. Keromytis" <angelos@cs.columbia.edu>

References:

• RE: Some comments on JFK
• From: "Hallam-Baker, Phillip" <pbaker@verisign.com>

---

• Prev by Date: RE: Some comments on JFK
• Next by Date: Re: Some comments on JFK
• Prev by thread: RE: Some comments on JFK
• Next by thread: Re: Some comments on JFK
• Index(es):
  • Main
  • Thread