I agree, and in fact using something like AAAv6 in combination with src
filtering is a good start to reduce the DoS attacks...
-- thomas
-----Original Message-----
From: Glenn Morrow
To: Edward Vielmetti
Cc: Michael Thomas; Thomas Eklund; '[EMAIL PROTECTED]';
'[EMAIL PROTECTED]'
Sent: 2001-04-18 21:37
Subject: RE: Source addresses, DDoS prevention and ingress filtering
Definitely not for IPv4 due to its deployed base but perhaps it could be
done for IPv6 - it is an idea - why not?
-----Original Message-----
From: Edward Vielmetti [ mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> ]
Sent: Wednesday, April 18, 2001 12:41 PM
To: Morrow, Glenn [RICH2:C330:EXCH]
Cc: Michael Thomas; Thomas Eklund; '[EMAIL PROTECTED]';
'[EMAIL PROTECTED]'
Subject: RE: Source addresses, DDoS prevention and ingress filtering
And you're going to mandate source filtering on the first hop across the
entire internet, how? It's a great idea and a best common practice but
not something that can be set by fiat.
Ed
On Wed, 18 Apr 2001, Glenn Morrow wrote:
> Then again if source filtering is mandated on the first hop this might
> eliminate the need to do filtering on other hops and this would
eliminate
> the need to do subnet translation or tunneling by either the MN or the
MR.
>
> -----Original Message-----
> From: Morrow, Glenn [RICH2:C330:EXCH]
> Sent: Wednesday, April 18, 2001 11:56 AM
> To: 'Michael Thomas'
> Cc: Michael Thomas; Thomas Eklund; '[EMAIL PROTECTED]';
> '[EMAIL PROTECTED]'
> Subject: RE: Source addresses, DDoS prevention and ingress filtering
>
>
> Oh, I see what you were concerned about. It seems to me that an MR
will have
> to tunnel or subnet translate unless it is on it's home subnet.
>
> -----Original Message-----
> From: Michael Thomas [ mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ]
> Sent: Wednesday, April 18, 2001 9:49 AM
> To: Morrow, Glenn [RICH2:C330:EXCH]
> Cc: Michael Thomas; Thomas Eklund; '[EMAIL PROTECTED]';
> '[EMAIL PROTECTED]'
> Subject: RE: Source addresses, DDoS prevention and ingress filtering
>
>
> Glenn Morrow writes:
> > If the node behind the MR obtained its home address from the the
mobile
> > router's subnet, then the MN will use this as the source i.e. the
MN's
> home
> > subnet is the MR's subnet.
>
> Right, but when the MR's upstream router does an
> RPF check... it will drop the SN's packets.
>
> > Either way (tunneling or subnet translation), the topological
correctness
> is
> > still maintained.
>
> Well, that's sort of the problem. The SN doesn't
> know that it's putting topologically incorrect
> source address in the IP header.
>
> Mike
>
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
