I still don't get it. What is Sava?
> -----Original Message----- > From: Ron Bonica [mailto:[EMAIL PROTECTED] > Sent: Friday, September 15, 2006 8:09 AM > To: Fan Ye > Cc: [EMAIL PROTECTED]; Pekka Savola; > [EMAIL PROTECTED]; Jun Bi; > [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: Re: [SAVA] Re: [Int-area] Call For Participation and > Interest: Source Address Validation Architecture (SAVA) > > Hi Fan, > > Ideally, SAVA would address all attacks that require the > attacker to spoof its source address. > > Ron > > > Fan Ye wrote: > > Ron, > > > > Thanks for clarifying the problem. Then what kinds of threats SAVA > > plans to address? Attackers spoofing addresses may control > end-hosts > > (which is quite common and I guess SAVA should address), > sniff traffic > > at the edge or the core, or control routers at the edge or > the core. > > Is SAVA going to address all of them, or just a subset? > > > > Thanks, > > Fan > > > > [EMAIL PROTECTED] wrote on 09/14/2006 04:06:30 PM: > > > > > >>Pekka, > >> > >>You raise some very fundamental questions about SAVA. I will try to > >>enumerate and answer them. If I get any of the answers > wrong, I invite > >>the SAVA contributors to step up and correct me. > >> > >>First, you ask what it means for a packet to have a "valid source > >>address". It means that there is some degree of certainty that the > >>packet originated at a site to which the address was assigned by a > >>legitimate numbering authority. This is a much stronger > statement than > >>an alternative definition, which claims only that the packet is not > >>spoofing some well known address (for example, one of your own > >>backbone addresses). > >> > >>The degree of certainty that source address filtering and uRPF can > >>provide is inversely proportional to the number of hops between the > >>validating and originating devices. So, (although this might be > >>anticipating solutions), the SAVA architecture will > probably include a > >>source address filtering/uRPF component that will be implemented by > >>upstream routers, and a signature component, by which the upstream > >>router notifies downstream routers that validation has (or has not) > >>occurred. > >> > >>Next, you ask what network resource are protected by SAVA. I think > >>that the answer is the entire Internet, but especially the routers > >>that are close to the validating nodes. This is because SAVA can > >>identify all of the following classes of spoofed packets: > >> > >>a) spoofed packets that are bound for routers (in the local > or remote > > > > AS) > > > >>b) spoofed packets that are bound for hosts, but cause router > >>interfaces to congest. > >> > >> Ron > >> > >> > >> > >>_______________________________________________ > >>SAVA mailing list > >>[EMAIL PROTECTED] > >>http://www.nrc.tsinghua.edu.cn/mailman/listinfo/sava > > > > > > _______________________________________________ > routing-discussion mailing list > [EMAIL PROTECTED] > https://www1.ietf.org/mailman/listinfo/routing-discussion > _______________________________________________ Int-area mailing list [email protected] https://www1.ietf.org/mailman/listinfo/int-area
