On Fri, 15 Sep 2006, Fred Baker wrote:
...
You can add other fences, but if the first
hop router applies this rule, then you should cover a huge percentage of your
cases.
Note that this does not imply a problem with privacy addresses or changing
addresses - a system can be a neighbor to the router as many times as it
likes.
It seems that one of the goals of SAVA was to be able to differentiate
(in another AS) whether an address was spoofed or not, i.e., the
first-hop router is not trusted to perform spoofing prevention.
Above approach is not much different from (other) uRPF-like
techniques, and at least on its own woould maybe be better classified
as a more advanced last-hop uRPF implementation technique.
FWIW, having correctness proofs of each address also a high chance of
having numerous privacy concerns which I don't think I've seen
considered so far.
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
_______________________________________________
Int-area mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/int-area
