On Sep 21, 2006, at 2:09 PM, James Kempf wrote:
Hmm, well sounds as if there may be a technical problem after all.
First, an intrusion detection problem: does this stream of packets
have forged source addresses? Then, a traceback problem: if so
where do these packets originate from?
And the news in this statement is what, precisely?
Yes, people put bogus source addresses into packets. Barry indicates
that it is far less common than it once was, but someone else (name
escapes me and I'm too lazy to go find the email) that some attacks
depend on them doing so.
The ability to detect that the address was spoofed is roughly
inversely proportional to the distance from the spoofer. The first
hop router has some hope, in that it at least potentially has an ND
entry for the device. The second hop router can at most say that it
comes from a known LAN in the right general direction. The third ISP
downstream can MAYBE say that it comes from a prefix in its route
table, assuming that it has no default route or excludes that from
consideration.
Tracability is pretty tough. Any router should be able to say what
the previous router was (eg, what MAC address/lambda/MPLS LSP/
whatever it received the datagram from) for any given datagram. Note
"should"; I can think of lots of reasons why the information may have
been discarded before the analysis of the IP header started. If the
router is an ISP/ISP router, it "should" therefore be able to say
what the previous ISP was. "should".
There are a bunch of SIGCOMM etc papers on statistical traceability
in IPv4. The fields they use didn't make it into IPv6.
I could imagine a new hop-by-hop option: "previous router". Some
router, perhaps the first hop router, ensures that the header is
there; it and each subsequent router writes one of their own IP
addresses into it, and if the next hop detects a problem it can be
used to unwind the issue. Interesting special cases apply: what if an
ISP uses a ULA for network management and link-local addresses for
routing? No router need have a public address except the BGP router,
and (Route Arbiter) that need not actually be a data path router. So
I'm trying to debug a packet and have only my neighboring ISP's ULA
or the link-local address to work with. Yes, one could use the source-
route option for this (same problem) but that's 128*20=320 extra
bytes per datagram. Seems a trifle excessive.
Anyone for the Evil Bit? Oh, yes, RFC 3514 uses the fragment offset
field of the IPv4 header.
Can someone please say something that hasn't been said a thousand
times before?
_______________________________________________
Int-area mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/int-area
