 Re: upgrade question - clarification
I agree with you about the input - be nice to get some other ideas - here's my one for today - I hope you can shed some light!
Q. IKE DoS protection - need to minimize the performance impact of implementing this new protection. Which of the following configuraions is MOST appropriate?
A- Set Support IKE DoS protection from identified source to "Puzzles", and Support IKE DoS protection from unidentified source to "Stateless".
B- Set Support IKE DoS Protection from identified source, and Support IKE DoS protection from unidentified source to "Puzzles".
C- Set Support IKE DoS protection from identified source to "Stateless," and Support IKE DoS protection from unidentified source to "Puzzles".
D- Set "Support IKE DoS protection" from identified source, and "Support IKE DoS protection" from unidentified source to "Stateless".
E- Set Support IKE DoS protection from identified source to "Stateless", and Support IKE DoS protection from unidentified source to "None".
I've seen every solution say answer D.
I know the proper way to set this up is to set Stateless for identified sources (gateways) and Puzzles for unidentified (remote clients) - but the question does say to 'minimize performance' - so I guess that's why they've just gone for Stateless on unidentified sources (as puzzles take a lot of comutational processing). But the question doesn't say set identified to 'none' it seems incomplete.
What's your thoughts on this?
Thanks  |