Protecting Internet Key Exchange (IKE) Implementations from Denial of Service Attacks through Client Puzzles

Document Type Expired Internet-Draft (individual)
Author Yoav Nir 
Last updated 2014-11-10 (latest revision 2014-04-30)
Stream (None)
Intended RFC status (None)
Expired & archived
plain text xml pdf htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


This document describes an enhancement to the Stateless Cookie mechanism described in RFC 5996. Whereas the original mechanism prevents denial-of-service (DoS) attacks that use multiple spoofed source addresses, the mechanism here is effective against a distributed denial of service attack (DDoS), where the attackers use their own source address. This is accomplished by requiring proof of work by the Initiator before allocating resources at the Responder.


Yoav Nir (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)