Pekka Savola writes: > On Fri, 18 Jan 2002, Jari Arkko wrote: > > > I looked at a lot of stuff, but that's the only one I saw, > > > even though it can be dressed up in different ways. > > > What else is there? > > > > I think you are right Charlie, that is the only downside. > > (There's a bunch of other downsides related to fixing > > with AAA the hole HAO leaves in ingress filtering, but > > that's another issue.) > > > > The primary danger of unconstrained HAO is having even a small > > number of attackers spoof HAOs and use a large > > number of CNs as reflectors to attack a specific > > target even if your network has ingress filtering. > > Basically, it voids ingress filtering. > [snip] > > There is a downside: destination site's filtering ("spoofing protection" > from the direction of the Internet) is nullified!
Thank you. That was exactly what my point was. It's not just the reflector attack; the HAO nullifies all of the ingress filtering present on the net right now. That is distinctly worse than the status quo. Mike -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------