If something is not configurable, it IS essentially equivalent to a fiat in an analogous sense.
-----Original Message-----
From: Morrow, Glenn [RICH2:C330:EXCH]
Sent: Wednesday, April 18, 2001 2:38 PM
To: 'Edward Vielmetti'
Cc: 'Michael Thomas'; 'Thomas Eklund'; '[EMAIL PROTECTED]';
'[EMAIL PROTECTED]'
Subject: RE: Source addresses, DDoS prevention and ingress filtering
If the standard mandates it - vendors must build it in the routing products just as they have to support ICMP etc..
-----Original Message-----
From: Morrow, Glenn [RICH2:C330:EXCH]
Sent: Wednesday, April 18, 2001 2:33 PM
To: 'Edward Vielmetti'
Cc: Michael Thomas; Thomas Eklund; '[EMAIL PROTECTED]';
'[EMAIL PROTECTED]'
Subject: RE: Source addresses, DDoS prevention and ingress filtering
Definitely not for IPv4 due to its deployed base but perhaps it could be done for IPv6 - it is an idea - why not?
-----Original Message-----
From: Edward Vielmetti [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, April 18, 2001 12:41 PM
To: Morrow, Glenn [RICH2:C330:EXCH]
Cc: Michael Thomas; Thomas Eklund; '[EMAIL PROTECTED]';
'[EMAIL PROTECTED]'
Subject: RE: Source addresses, DDoS prevention and ingress filtering
And you're going to mandate source filtering on the first hop across the
entire internet, how? It's a great idea and a best common practice but
not something that can be set by fiat.
Ed
On Wed, 18 Apr 2001, Glenn Morrow wrote:
> Then again if source filtering is mandated on the first hop this might
> eliminate the need to do filtering on other hops and this would eliminate
> the need to do subnet translation or tunneling by either the MN or the MR.
>
> -----Original Message-----
> From: Morrow, Glenn [RICH2:C330:EXCH]
> Sent: Wednesday, April 18, 2001 11:56 AM
> To: 'Michael Thomas'
> Cc: Michael Thomas; Thomas Eklund; '[EMAIL PROTECTED]';
> '[EMAIL PROTECTED]'
> Subject: RE: Source addresses, DDoS prevention and ingress filtering
>
>
> Oh, I see what you were concerned about. It seems to me that an MR will have
> to tunnel or subnet translate unless it is on it's home subnet.
>
> -----Original Message-----
> From: Michael Thomas [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, April 18, 2001 9:49 AM
> To: Morrow, Glenn [RICH2:C330:EXCH]
> Cc: Michael Thomas; Thomas Eklund; '[EMAIL PROTECTED]';
> '[EMAIL PROTECTED]'
> Subject: RE: Source addresses, DDoS prevention and ingress filtering
>
>
> Glenn Morrow writes:
> > If the node behind the MR obtained its home address from the the mobile
> > router's subnet, then the MN will use this as the source i.e. the MN's
> home
> > subnet is the MR's subnet.
>
> Right, but when the MR's upstream router does an
> RPF check... it will drop the SN's packets.
>
> > Either way (tunneling or subnet translation), the topological correctness
> is
> > still maintained.
>
> Well, that's sort of the problem. The SN doesn't
> know that it's putting topologically incorrect
> source address in the IP header.
>
> Mike
>
