> > |But, the mapping system gives the ETR a means for > determining the set > |of RLOCs from which packets that use specific EIDs may originate. > > > Do you seriously think that an ETR is going to verify the > source EID against the source RLOC? > > Even after significant efforts today, we can't get source > address anti-spoof filtering implemented to a significant extent. > > >
Actually, as a point of fact, we have. We've got 75-80% coverage, based on studies presented at the *NOG forums. That's significant. It hass dropped spoofed attacks from 50%+ of total attacks to less than 5% of total attacks, IIRC. Its MUCH easier today to just own a few tens of thousands of hosts and not to bother spoofing. I don't see why we can't enforce anti-spoofing on encap, since it requires a mapping to be in place. And we can on decap easily where the traffic is symetrical (that is there is a mapping for the source RLOC/EID pair. -Darrel _______________________________________________ rrg mailing list [email protected] https://www.irtf.org/mailman/listinfo/rrg
