> Phill, > > Have you read the JFK draft? Have you read my extensive comments on the JFK draft posted to the list? > The idea of a generalized cookie mechanism for IP/TCP is > something I've > toyed with. For applications where you don't necessarily want > to do IPsec, > but DoS attacks are very important (e.g. wireless, > specifically IP paging), > it would be nice if your access router could generate an > ICMP_ROUTABILITY_TEST message which would force the initiator > to retry with > a nonce/cookie. I don't think that has much value. For the cookie to be useful it really has to be strongly bound to a particular request and a specific IP port. Otherwise an attacker can get one legitimate cookie and then SPAM you to death with it. Phill
Phillip Hallam-Baker (E-mail).vcf