In message <[email protected]>, "Dobbins, Roland" writes: > > On Oct 26, 2012, at 12:48 AM, paul vixie wrote: > > > until cisco makes source address validation the default > > Unfortunately, neither Cisco nor any other network infrastructure vendor will > do this absent some fundamental breakthrough in anti-spoofing mechanisms, be > cause there are too many topological situations in which the primary existing > mechanism (uRPF, ACLs) can induce overblocking.
We essentially have the infrastructure to do this today. We have certs for address delegations. They can be used to sign server certs which can then sign "I will be sourcing from these prefixes" anouncements which can in turn let correct authenticated source address filters be produced. This would cover most end site requirements. > ----------------------------------------------------------------------- > Roland Dobbins <[email protected]> // <http://www.arbornetworks.com> > > Luck is the residue of opportunity and design. > > -- John Milton > > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > dns-jobs mailing list > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
