I tailed down ipv6 from the Cc:. On Tue, 12 Sep 2006, Mark Williams wrote:
A document repository for drafts and other documents is available at: http://narl.tsinghua.edu.cn/sava/
Could the drafts be posted to [EMAIL PROTECTED] as well? Currently I see none (with 'sava' search).
A few comments on the introduction/problem statement below. There is need to make the statement a bit more explicit.
Ingress filtering is definitely to be recommended, and uRPF filtering certainly does have its uses, but, at least in the current state of the Internet, they are insufficient as a protection for the routing infrastructure.
You should clarify what you mean by 'protection for the routing infrastructure'. What are you protecting against? What do you mean by 'protect'? What do you mean by 'routing infrastructure' -- all routers in the internet, or just the router in a particular service provider's network?
If this refers to ensuring that your own routing infrastructure is secure, I argue this can already be achieved by appropriate edge filtering at your own borders. See draft-savola-rtgwg-backbone-attacks-02.txt and OPSEC WG documents for more.
On the other hand, if this refers to generic routing infrastructure security, it isn't obvious how a source address validation proposal would significantly improve the current situation.
a) Ingress filtering works, but it only works if all, or at least the vast majority of ingress points apply ingress filtering. As can be seen in the Internet today, even when 25% of the Internet is unsecured, those elements that want access to "spoofable" connections simply move their connection to unsecured attachment points.
It is not clear what you mean by 'works'. You can protect your own infrastructure just fine by applying the protection at all of _your_ borders. In most scenarios, that's sufficient, and could be phrased as "works". Or do you have "every packet that enters your network has a provably correct source address" as a goal here?
b) uRPF does not work well in places where asymmetric routing happens. This constitutes a large part of the Internet
This is a common misconception. Maybe you haven't seen RFC 3704 (BCP 84) which describes how to do it. For more detail, also look at draft-savola-bcp84-urpf-experiences-01.txt.
-- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings _______________________________________________ Int-area mailing list [email protected] https://www1.ietf.org/mailman/listinfo/int-area
