[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: proxy AH (was: An architectural draft)



Iljitsch;

The only thing you can do against DoS is to detect its origin.

Complex attempt of protection with larger number of components
and more computation makes DoS more effective.

> The master keys are communicated to the 
> ISP (for instance by inserting them in a BGP attribute)

in plain text?

> Then packets that don't have an AH or for which the AH check 
> fails are severely rate limited

> This requires some serious hardware at the ISP side

You are saying you must provide high performance hardware to get
severely limited rate, even though there is no attackers, which
is a lot worse than DoS.

							Masataka Ohta