Re: Minutes / Notes

[Pekka Nikander <pekka.nikander@nomadiclab.com>]

> |    The ability to return packets without much overhead, such 
> |    as an ICMP error or
> |    a  TCP SYN, might be important to avoid a class of DoS 
> |    attacks om routers.
>
>
> Important, yes, but not because of DoS effects.  Just simple
> rate-of-return arguments suggest that routers will do a better
> "best effort" job of returning errors if they don't have to jump
> through hoops.  And unlike hosts, the router cannot maintain an
> effective cache of all of the sources that might send it erroneous
> packets.
Recording a route in a packet, if designed right, allows error
messages to be returned to the source.  Recording a route has
the additional benefit that the information is always right.
You don't need to configure your ingress filters.  Since the
routers record the path to the field, you know exactly the path
the packet took.

There are engineering challenges, though, and it may be
impractical to implement it.

The important point is, however, that if the id/loc separation
is done, the source address is not needed by the end-hosts any
more.  It is needed in the very first packet flowing in a direction,
and perhaps in the second one, until the id->loc state is verified
and established, but not after that.

We discuss this in length in our 2001 Nordsec paper, as I
mentioned already.  In that paper we discuss the point from
the IPsec point of view, but most of the discussion directly
applies to the id/loc separation point-of-view.

--Pekka Nikander