> -----Original Message----- > From: Tom Tucker [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 25, 2005 11:13 AM > To: Caitlin Bestler > Cc: Sean Hefty; Kanevsky, Arkady; [EMAIL PROTECTED]; DAT > Collaborative; openib-general@openib.org > Subject: RE: [openib-general] RE: [dat-discussions] round 2 - > proposal for socket based connection model > > On Tue, 2005-10-25 at 10:51 -0700, Caitlin Bestler wrote: > > > > > > > > > > I believe that the assurances you are talking about are > peculiar to > > > an implementation, not to the network. > > > > > > > I disagree. Anytime you send an IP datagram on an IP > network you are > > expected to provide an authentic source address. Any intermediate > > network device MAY enforce that rule and drop packets with invalid > > source addresses. > > > > I don't see anything in the protocol specs (RFC 791, RFC 793, > ...) that talks about this, so we just have to agree to disagree. :-) > Joe Touch's current draft on spoofing prevention covers this well in Section 3.2 (draft-ietf-tcpm-tcp-antispoof-02). IP networks can prevent address spoofing at the network layer using IPSec or by having border routers/filters validate the source address of incoming packets against routing rules.
The latter is covered in RFC 2827 "Ingress Filtering for Multihomed Networks" and RFC 2267 "Network Ingress Ingress Filtering: Defeating Denial of Service Attacks which employ IP Address Spoofing" And more generally, in a TCP network a non-privileged client is NOT allowed to bind to any address and is NOT allowed to send raw Ethernet to bypass the host stack. _______________________________________________ openib-general mailing list openib-general@openib.org http://openib.org/mailman/listinfo/openib-general To unsubscribe, please visit http://openib.org/mailman/listinfo/openib-general