In message <[EMAIL PROTECTED]>, "Brian Haberman" writes:
>>
>> Yup. But since I'm far from convinced of the feasibility of those
>> solutions, I chose to propose ICMP Traceback as the preferred
>> mechanism. The first such scheme, by Savage et al., seems to have too
>> high a computational complexity, as shown by Song and Perrig. Song and
>> Perrig have their own, much more efficient scheme, but it requires good
>> knowledge of Internet topology, and I'm not convinced that that would
>> be forthcoming. All such schemes suffer from a lack of a place to do
>> the marking -- using the ID field breaks fragmentation and AH, there's
>> no place in the v6 header except maybe the flow label, etc.
>
>For IPv6, you could define a new extension header (hop-by-hop option).
>
Yes, but unless the attacker(s)'s packets used it, how would you mark
them? Even apart from considerations of the load on the routers, I'm
reliably informed that anyone who builds a v6 router that inserts
headers into transit packets will incur the Curse of Deering...
--Steve Bellovin, http://www.research.att.com/~smb
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
