Pekka Savola writes:
> On Fri, 18 Jan 2002, Jari Arkko wrote:
> > > I looked at a lot of stuff, but that's the only one I saw,
> > > even though it can be dressed up in different ways.
> > > What else is there?
> >
> > I think you are right Charlie, that is the only downside.
> > (There's a bunch of other downsides related to fixing
> > with AAA the hole HAO leaves in ingress filtering, but
> > that's another issue.)
> >
> > The primary danger of unconstrained HAO is having even a small
> > number of attackers spoof HAOs and use a large
> > number of CNs as reflectors to attack a specific
> > target even if your network has ingress filtering.
> > Basically, it voids ingress filtering.
> [snip]
>
> There is a downside: destination site's filtering ("spoofing protection"
> from the direction of the Internet) is nullified!
Thank you. That was exactly what my point was.
It's not just the reflector attack; the HAO
nullifies all of the ingress filtering present
on the net right now. That is distinctly worse
than the status quo.
Mike
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
