[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Minutes / Notes



| The ability to return packets without much overhead, such | as an ICMP error or
| a TCP SYN, might be important to avoid a class of DoS | attacks om routers.


Important, yes, but not because of DoS effects. Just simple
rate-of-return arguments suggest that routers will do a better
"best effort" job of returning errors if they don't have to jump
through hoops. And unlike hosts, the router cannot maintain an
effective cache of all of the sources that might send it erroneous
packets.
Recording a route in a packet, if designed right, allows error
messages to be returned to the source.  Recording a route has
the additional benefit that the information is always right.
You don't need to configure your ingress filters.  Since the
routers record the path to the field, you know exactly the path
the packet took.

There are engineering challenges, though, and it may be
impractical to implement it.

The important point is, however, that if the id/loc separation
is done, the source address is not needed by the end-hosts any
more.  It is needed in the very first packet flowing in a direction,
and perhaps in the second one, until the id->loc state is verified
and established, but not after that.

We discuss this in length in our 2001 Nordsec paper, as I
mentioned already.  In that paper we discuss the point from
the IPsec point of view, but most of the discussion directly
applies to the id/loc separation point-of-view.

--Pekka Nikander