Then again if source filtering is mandated on the first hop this might eliminate the need to do filtering on other hops and this would eliminate the need to do subnet translation or tunneling by either the MN or the MR.
-----Original Message-----
From: Morrow, Glenn [RICH2:C330:EXCH]
Sent: Wednesday, April 18, 2001 11:56 AM
To: 'Michael Thomas'
Cc: Michael Thomas; Thomas Eklund; '[EMAIL PROTECTED]';
'[EMAIL PROTECTED]'
Subject: RE: Source addresses, DDoS prevention and ingress filtering
Oh, I see what you were concerned about. It seems to me that an MR will have to tunnel or subnet translate unless it is on it's home subnet.
-----Original Message-----
From: Michael Thomas [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, April 18, 2001 9:49 AM
To: Morrow, Glenn [RICH2:C330:EXCH]
Cc: Michael Thomas; Thomas Eklund; '[EMAIL PROTECTED]';
'[EMAIL PROTECTED]'
Subject: RE: Source addresses, DDoS prevention and ingress filtering
Glenn Morrow writes:
> If the node behind the MR obtained its home address from the the mobile
> router's subnet, then the MN will use this as the source i.e. the MN's home
> subnet is the MR's subnet.
Right, but when the MR's upstream router does an
RPF check... it will drop the SN's packets.
> Either way (tunneling or subnet translation), the topological correctness is
> still maintained.
Well, that's sort of the problem. The SN doesn't
know that it's putting topologically incorrect
source address in the IP header.
Mike
