On 18-sep-2006, at 22:29, Ron Bonica wrote:
The SAVA WG seeks to develop some mechanism by which network equipment
can determine the degree of trust that it places in the validity of a
packet's source address. Having determined that level of trust, the
network will forward the packet as per its security policy. The
following is an example of a security policy that relies upon source
address validation:
Ah, ok, now we're getting somewhere.
The problem is that this approach has limited utility: it depends on
being able to know whether a packet is desired based on the source
address. In situations where a very limited number of correspondents
are allowed this will be useful (i.e., in a routing protocol) but as
a general purpose mechanism it's not really helpful: a WWW server
doesn't have a list of addresses of approved clients.
A more general approach would be to create a mechanism that allows
recognizing packets that belong to approved sessions. This can be
because the session is towards an approved correspondent, which is
easy to determine with a return routability check, or it can be after
higher-layer authentication/autorization.
_______________________________________________
Int-area mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/int-area
