> > Hello Tyson. I have a few questions on your I-D about "IPv6 packet > staining". Let me start with one that concerns security > considerations. > > In Section 7, the I-D mentions reputational algorithms for cyber > intelligence and then it cautions implementers about unspecified > hazards > associated with the source of intelligence and the protection of the > algorithms. > > Where are the algorithms (mentioned in Section 7) to be applied? In > the > PMDs? At the end points? In a different locations or element > altogether?"
HI Ed, The reputation algorithms used to derive reputation score for staining within Destination Options (DOs) would reside in an security application or service distinct from the packet manipulation device (PMD) used to apply the DOs. For instance, many security vendors currently have on-line repositories of intelligence available for query by their deployed products. Their algorithms reside close to, or possibly within, these service-delivery-points on the 'net. NOT within the vendor products deployed in the field. Similarly, the PMDs are probably not going to actually contain the algorithms used to obtain reputation scores from the correlation and aggregation of intelligence source. PMD will, however, need to consume the finished intelligence in as close to a real-time manner as possible, so reputation stains are as accurate as possible. Have said this - it is possible that a PMD vendor may elect to implement the algorithms within a PMD itself. For instance, for clients that need PMDs on the borders of different zones (for internal deployments), and want unique intelligence and reputations scores in each zone. > > Thanks in advance, > > Ed J. -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
