In your previous mail you wrote: > I don't think it matters whether the acronym for this > infrastructure was PKI, DNS, or AAA? > > => I agree but it is not forbidden to get advantages of it, only to rely > on it. As we don't rely on ingress filtering for defense against DDoS, > I can't see a problem to propose to use AAA in order to improve ingress > filtering. => I should have added that there are two possible improvements to ingress filtering: network access control and full AAA. The first one keeps the status quo, the second gives more.
Yes, it's no problem to improve something. However, improving ingress filting with AAA is not the *whole* picture of what we are doing. You have to remember that by introducing HAO our first step is punching a mile wide hole to the ingress filtering system. And, in fact, you are not improving things by having a smart treatment of the HAO -- you're basically keeping the status quo that we already have with v4. => this is about (any kind of) network access control. So, in some areas that have both ingress filtering and aaa, you may keep the current status, if the aaa fix to ingress filtering is deployed fast enough. However, on other areas you are nuking an existing security measure some people are using. In this sense you are relying on AAA all over the place, => please replace AAA by network access control. just to keep things as they were before. => I don't see a problem: we have *not* ingress filtering performed everywhere today. We don't need an absolute solution, we need only to make HAO spoofing enough unattractive as we did need to make source address spoofing enough unattractive... Regards [EMAIL PROTECTED] -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
