Iljitsch, Mark, Iljitsch you wrote:
> In security, there are no prizes for "almost". > > I still don't know what this effort is supposed to accomplish. Can > someone enlighten me? > > Is the problem that the communication between network equipment can be > subverted with source address spoofing? As I wrote in a previous > message, source address spoofing shouldn't be an issue when the > communication is between two internal systems, and the only protocol > network elements use toward the outside is BGP which has its own > mechanisms to protect against attacks based on source address spoofing. > > What source address spoofing does is allow a third party to inject > packets into the communication stream between two other systems. > However, if these two systems use reasonable security practices (where > reasonable can be as light-weight as using hard-to-guess initial > sequence numbers and ephemeral port numbers for TCP sessions or as > heavy-weight as full IPsec AH) then the only thing an attacker can do > is some form of denial of service that is hard to filter out, either > by overloading network links, buffers or processing capacity. > > I don't think anyone can reasonably argue that we can get the internet > to a state where the source address is so trustworthy that it's > possible to base any kind of security on it. That leaves the DoS > issue, which was declared out of scope earlier. Ignoring that, most > denial of service can also be done WITHOUT source address spoofing, so > I don't see the point of herculian efforts to rid the internet > completely of places where a user can spoof a source address. This > just isn't going to work. > ... > Doing per-packet work to make per-session life easier is fundamentally > the wrong approach. A sad example is port 25 filtering. 99.9% of all > packets flowing over the internet are other protocols than SMTP. So > installing port 25 filters to make life easier for mail servers that > insist on using a protocol that takes everything it's told for true > without any checks at all is completely backwards, especially as the > power (processing and electricity wise) for all this filtering scales > linearly or worse with the number of packets flowing over the > internet, while improving SMTP scales order O(number of SMTP > implementations). In general I agree with the above. However, there is value in applying low-cost measures such as ingress filtering as a first layer of defense. Not the only defense, of course, but the existence of these measures makes attacks against other defenses harder, improves the ability to track down ill-behaving nodes, etc. But the crux of the matter is the part about the low cost. This brings me to a question that I wanted to ask Mark -- you wrote: > Indeed one of the goals of SAVA would be to significantly increase the > incentive to apply source address filtering. I think we all agree that goverment policies, industry self-regulation, etc. are all outside the scope for our work at IETF. So, presumably, we are talking about incentives that are of technical nature, advantages in new methods. Such as methods that simply work better, require less configuration, or provide more benefit to an early adopter than, say, ingress filtering. Do you have ideas on what such methods would be, or would the actual development effort be left to the WG? Any pointers to papers etc? To be clear, I do not want to engage in a detailed discussion of any specific proposals. But I'd like to read about them, and understand where we are in terms of the technology -- do we need research first or do we already have some possible tools that we can use to build new standards. --Jari _______________________________________________ Int-area mailing list [email protected] https://www1.ietf.org/mailman/listinfo/int-area
