On 2010-09-11 12:24, Mark Smith wrote:
> On Fri, 10 Sep 2010 07:34:42 +0200 (CEST)
> Mikael Abrahamsson <swm...@swm.pp.se> wrote:
>
>> On Fri, 10 Sep 2010, Brian E Carpenter wrote:
>>
>>>> I'm sure there are a lot in the IETF that agrees with you that they
>>>> don't understand why it's a problem, because the IETF has historically
>>>> been totally uninterested in security in development.
>>> That really hasn't been true for many years now. But as you said yourself
>>> a few hours later:
>> I guess we can agree to disagree. Considering SAVI isn't "done" in even
>> their basic stuff, my opinion stands firm. IPv6 isn't deployable in a
>> bunch of deployment scenarios used today, and that's because most of the
>> protocols designed in the IETF hasn't had that part as a design criteria.
>>
>
> How would you solve the problem? If you give end-nodes the ability to
> build packets, you're giving them the ability to choose the source
> address. The only options are to verify the source address externally
> e.g. SeND, SAVI or quarantine them individually on point-to-point
> links and use RPF validation, or somewhat radically change the protocol
> such that source addresses of packets are only set by upstream devices
Those devices exist today and are called NATs.
This way lies madness. We aren't designing the telephone system.
Brian
> (and for that to work you'd need point-to-point links with the upstream
> device anyway). The latter option would take away the peer-to-peer
> nature of the Internet Protocols.
>
> If you truly don't trust the end-nodes at all to set their source
> address correctly, then quarantining them on individual point-to-point
> links would seem to me to be the only option that still allows other
> people in other environments to continue to trust end-nodes setting the
> source address.
>
>> It's definitely headed in the correct direction though, but there is still
>> a lot of work to be done.
>>
>> --
>> Mikael Abrahamsson email: swm...@swm.pp.se
>> --------------------------------------------------------------------
>> IETF IPv6 working group mailing list
>> ipv6@ietf.org
>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>> --------------------------------------------------------------------
>
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
