Jari Arkko wrote:
>
> But before we go too far in this question, let's
> discuss more about whether there is something
> still to be done for DoS prevention, and what.
> After finding out that, we could discuss how the
> work is organized. Right now, at least I'm uncertain
> if we have done everything and how sufficient is
> the work on the various WGs. Do some of Pekka's
> ideas to protect address autoconfiguration suffice
> for all of IPv6 signaling? Does i-trace solve all
> tracing issues?
I will try here to characterize, from a technical point
of view, which problems can be solved using the potential
solutions developed by the iTrace working group: (if I do
not explain clearly, please accept my appology and let me
know which points are not clear.)
In high level, iTrace tries to identify the approximate
location of a source (or sources) that generates a stream
of source-spoofed IP packets toward a particular
destination host or network. With the iTrace-backward
option, it can handle upto one layer of reflecting devices.
There is an inherent assumption that, in order to make
iTrace practically useful, the packet stream between the
source and destination must be big enough to get a
"reasonably" good probability. Examples are synflood and
DDoS. Counter-examples are smurf and TCPLand, because in
both cases, the attack stream is too small (one packet) to
get a good probability. On the other hand, realizing
iTrace forces attackers to give up many existing attack
options -- they have to perform smaller flow attacks or
launch from a much bigger number of slaves.
Second, iTrace is only for "identifying the sources." It
is not by itself a complete solution to resolve the whole
DDoS problem, for example. It, in some sense, offers a
"location information" service for other applications or
human administrators (or FBI). "How exactly such iTrace
information can be used in a real world environment"
should NOT be standardized in iTrace (because different
applications and situations might need different responses),
but some practical scenarios for utilizing iTrace should be
described in a document for applicability statements.
-Felix
--
----------------------------------------------------------------------
Dr. S. (Shyhtsun) Felix Wu [EMAIL PROTECTED]
Associate Professor http://www.cs.ucdavis.edu/~wu
Computer Science Department office: 1-530-754-7070
University of California at Davis fax: 1-530-752-4767
----------------------------------------------------------------------
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
