Ron, Thanks for clarifying the problem. Then what kinds of threats SAVA plans to address? Attackers spoofing addresses may control end-hosts (which is quite common and I guess SAVA should address), sniff traffic at the edge or the core, or control routers at the edge or the core. Is SAVA going to address all of them, or just a subset?
Thanks, Fan [EMAIL PROTECTED] wrote on 09/14/2006 04:06:30 PM: > Pekka, > > You raise some very fundamental questions about SAVA. I will try to > enumerate and answer them. If I get any of the answers wrong, I invite > the SAVA contributors to step up and correct me. > > First, you ask what it means for a packet to have a "valid source > address". It means that there is some degree of certainty that the > packet originated at a site to which the address was assigned by a > legitimate numbering authority. This is a much stronger statement than > an alternative definition, which claims only that the packet is not > spoofing some well known address (for example, one of your own backbone > addresses). > > The degree of certainty that source address filtering and uRPF can > provide is inversely proportional to the number of hops between the > validating and originating devices. So, (although this might be > anticipating solutions), the SAVA architecture will probably include a > source address filtering/uRPF component that will be implemented by > upstream routers, and a signature component, by which the upstream > router notifies downstream routers that validation has (or has not) > occurred. > > Next, you ask what network resource are protected by SAVA. I think that > the answer is the entire Internet, but especially the routers that are > close to the validating nodes. This is because SAVA can identify all of > the following classes of spoofed packets: > > a) spoofed packets that are bound for routers (in the local or remote AS) > b) spoofed packets that are bound for hosts, but cause router interfaces > to congest. > > Ron > > > > _______________________________________________ > SAVA mailing list > [EMAIL PROTECTED] > http://www.nrc.tsinghua.edu.cn/mailman/listinfo/sava _______________________________________________ Int-area mailing list [email protected] https://www1.ietf.org/mailman/listinfo/int-area
