Protecting Internet Key Exchange (IKE) Implementations from Denial of Service Attacks through Client Puzzles
draft-nir-ipsecme-puzzles-00

Document Type Expired Internet-Draft (individual)
Last updated 2014-11-10 (latest revision 2014-04-30)
Stream (None)
Intended RFC status (None)
Formats
Expired & archived
plain text pdf html bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at
https://www.ietf.org/archive/id/draft-nir-ipsecme-puzzles-00.txt

Abstract

This document describes an enhancement to the Stateless Cookie mechanism described in RFC 5996. Whereas the original mechanism prevents denial-of-service (DoS) attacks that use multiple spoofed source addresses, the mechanism here is effective against a distributed denial of service attack (DDoS), where the attackers use their own source address. This is accomplished by requiring proof of work by the Initiator before allocating resources at the Responder.

Authors

Yoav Nir (ynir.ietf@gmail.com)

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)