I may be missing something. Maybe something imp0ortant. But pretneding
for the moment that I understand this discussion...
Fundamentally, if a subscriber DoS' himself, and denies himself service,
then he hurts himself. So?
Now, there do need to be ways that this is prevented from hurting the
rest of the system. But there are already specified rate limits.
Even for an enterprise, if a device within the enterprise DoS' the
enterprise, then the enterprise has to deal with it. One may want
additional protections, but they are largely a local, implementation,
matter.
There is one case that is, I think, important, but fairly easily dealt
with. There are Proxy ITRs in the system. Those end up accepting
traffic from wide ranges of soruces for wide ranges of destinations
(depending upon which PITR deployment model you find useful.) Those
would seem to be vulnerable to DoS.
However, those are few, far between, and could reasoanbly be specialized
boxes. If they participate in the ALT, for example, they presumably can
finess a number of the implications of scatter attacks via clever
implementation.
Yours,
Joel
On 7/18/2011 4:07 PM, Noel Chiappa wrote:
> From: Jeff Wheeler<[email protected]>
> any subscriber access platform, must be able to deal with the threat
> of DoS attacks.
I definitely agree with this, and I've been pondering it a bit over the
last couple of days. (BTW, do you forsee this being an issue for IPv4 and
IPv6, or 'mostly' an IPv6 issue, because of the very large address space?)
_______________________________________________
lisp mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/lisp
