[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Fwd: Minutes / Notes
marcelo bagnulo wrote:
For the source endpoint information, i am not sure
I think that carrying the source identifier would make more sense, since it
identifies the other endd of the communication.
Carrying a source identifier is harmful. For our argument, see
Catharina Candolin and Pekka Nikander, "IPv6 Source Addresses Considered
Harmful," in Hanne Riis Nielson (ed.), Proceedings of NordSec 2001,
Sixth Nordoc Workshop on Secure IT Systems, November 1-2, Lyngby,
Denmark, Technical Report IMM-TR-2001-14, pp. 54-68, Technical
University of Denmark, November 2001.
http://www.tml.hut.fi/~pnr/publications/nordsec2001.pdf
This would also allow to
configure filters depending on the source identifier making things like
renumbering easier. The first problem that i find with this option is that
you cannot send error messages back to the source (since there is no locator
of the source) when there is a problem and additional mechanisms are needed
to perform reverse mapping in this situation.
Error messages (ICMP, congestion notification) are about the only
reason why you should have any kind of source names in the average
packets once you make the id/loc separation.
In fact, IMHO it would make most sense to *record* the source *path*
to the packets, somewhat ala itrace, if the id/loc separation is
made. That would allow one to trace back DoS packets.
(Note that all of the above discussed *generic* packets. It is a
different issue with the very first packet send by a host to another,
and in any packets that affect the id->locs binding.
--Pekka Nikander