Re: Minutes / Notes

[Pekka Savola <pekkas@netcore.fi>]

On Mon, 21 Jul 2003, Pekka Nikander wrote:
> > |    The ability to return packets without much overhead, such 
> > |    as an ICMP error or
> > |    a  TCP SYN, might be important to avoid a class of DoS 
> > |    attacks om routers.
> > 
> > 
> > Important, yes, but not because of DoS effects.  Just simple
> > rate-of-return arguments suggest that routers will do a better
> > "best effort" job of returning errors if they don't have to jump
> > through hoops.  And unlike hosts, the router cannot maintain an
> > effective cache of all of the sources that might send it erroneous
> > packets.
> 
> Recording a route in a packet, if designed right, allows error
> messages to be returned to the source.  Recording a route has
> the additional benefit that the information is always right.
> You don't need to configure your ingress filters.  Since the
> routers record the path to the field, you know exactly the path
> the packet took.
> 
> There are engineering challenges, though, and it may be
> impractical to implement it.
[...]

Yes, and remember the how spammers got to forging the SMTP Received:  
headers.  You really can't trust the recorded route: it may have any
number of forged "bogus" entries.  However, at least a part of that trail
is always valid -- it's just impossible to tell how big a part.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings