Remember, DOS attacks are going to also come from hosts that have been
broken into and compromised at the root level. So you will get attacks
sourced from systems that can use all of the priveleges and rights that
legit users of that system will have. Network filters do not protect from
host compromise.
all your base are belong to us,
Ed
On Thu, 19 Apr 2001, Thomas Eklund wrote:
> I agree, and in fact using something like AAAv6 in combination with src
> filtering is a good start to reduce the DoS attacks...
>
> -- thomas
>
> -----Original Message-----
> From: Glenn Morrow
> To: Edward Vielmetti
> Cc: Michael Thomas; Thomas Eklund; '[EMAIL PROTECTED]';
> '[EMAIL PROTECTED]'
> Sent: 2001-04-18 21:37
> Subject: RE: Source addresses, DDoS prevention and ingress filtering
>
> Definitely not for IPv4 due to its deployed base but perhaps it could be
> done for IPv6 - it is an idea - why not?
>
> -----Original Message-----
> From: Edward Vielmetti [ mailto:[EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED]> ]
> Sent: Wednesday, April 18, 2001 12:41 PM
> To: Morrow, Glenn [RICH2:C330:EXCH]
> Cc: Michael Thomas; Thomas Eklund; '[EMAIL PROTECTED]';
> '[EMAIL PROTECTED]'
> Subject: RE: Source addresses, DDoS prevention and ingress filtering
>
>
> And you're going to mandate source filtering on the first hop across the
>
> entire internet, how? It's a great idea and a best common practice but
> not something that can be set by fiat.
>
> Ed
>
> On Wed, 18 Apr 2001, Glenn Morrow wrote:
>
> > Then again if source filtering is mandated on the first hop this might
>
> > eliminate the need to do filtering on other hops and this would
> eliminate
> > the need to do subnet translation or tunneling by either the MN or the
> MR.
> >
> > -----Original Message-----
> > From: Morrow, Glenn [RICH2:C330:EXCH]
> > Sent: Wednesday, April 18, 2001 11:56 AM
> > To: 'Michael Thomas'
> > Cc: Michael Thomas; Thomas Eklund; '[EMAIL PROTECTED]';
> > '[EMAIL PROTECTED]'
> > Subject: RE: Source addresses, DDoS prevention and ingress filtering
> >
> >
> > Oh, I see what you were concerned about. It seems to me that an MR
> will have
> > to tunnel or subnet translate unless it is on it's home subnet.
> >
> > -----Original Message-----
> > From: Michael Thomas [ mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ]
> > Sent: Wednesday, April 18, 2001 9:49 AM
> > To: Morrow, Glenn [RICH2:C330:EXCH]
> > Cc: Michael Thomas; Thomas Eklund; '[EMAIL PROTECTED]';
> > '[EMAIL PROTECTED]'
> > Subject: RE: Source addresses, DDoS prevention and ingress filtering
> >
> >
> > Glenn Morrow writes:
> > > If the node behind the MR obtained its home address from the the
> mobile
> > > router's subnet, then the MN will use this as the source i.e. the
> MN's
> > home
> > > subnet is the MR's subnet.
> >
> > Right, but when the MR's upstream router does an
> > RPF check... it will drop the SN's packets.
> >
> > > Either way (tunneling or subnet translation), the topological
> correctness
> > is
> > > still maintained.
> >
> > Well, that's sort of the problem. The SN doesn't
> > know that it's putting topologically incorrect
> > source address in the IP header.
> >
> > Mike
> >
>
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
