[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: proxy AH (was: An architectural draft)

To: Iljitsch van Beijnum <iljitsch@muada.com>
Subject: Re: proxy AH (was: An architectural draft)
From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Date: Thu, 29 May 2003 14:38:06 +0859 ()
Cc: Eliot Lear <lear@cisco.com>, multi6@ops.ietf.org
In-reply-to: <11490F84-9162-11D7-9944-00039388672E@muada.com> from Iljitsch vanBeijnum at "May 29, 2003 01:14:01 am"

Iljitsch;

The only thing you can do against DoS is to detect its origin.

Complex attempt of protection with larger number of components
and more computation makes DoS more effective.

> The master keys are communicated to the 
> ISP (for instance by inserting them in a BGP attribute)

in plain text?

> Then packets that don't have an AH or for which the AH check 
> fails are severely rate limited

> This requires some serious hardware at the ISP side

You are saying you must provide high performance hardware to get
severely limited rate, even though there is no attackers, which
is a lot worse than DoS.

							Masataka Ohta

Follow-Ups:
- Re: proxy AH (was: An architectural draft)
  - From: Iljitsch van Beijnum <iljitsch@muada.com>

References:
- Re: proxy AH (was: An architectural draft)
  - From: Iljitsch van Beijnum <iljitsch@muada.com>

Prev by Date: Re: An architectural draft
Next by Date: Re: proxy AH (was: An architectural draft)
Previous by thread: Re: proxy AH (was: An architectural draft)
Next by thread: Re: proxy AH (was: An architectural draft)
Index(es):
- Date
- Thread