[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D ACTION:draft-nordmark-multi6dt-shim-00.txt



At 06:11 PM 3/11/2004, Kurt Erik Lindqvist wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 2004-11-03, at 01.28, Erik Nordmark wrote:

> If a host wants to prevent packet injection attacks today (such as
> spoofed RCP RST packets, if it wants to prevent it from all nodes and
> not depend on ingress filtering, wouldn't it use IPsec?

That would have to be a must. I can't see anyone building a trust model
based on (the non-existing) ingress filtering. That said, I think most
protection against packet injection attacks on todays Internet is
actually left to ULPs.

I take it that you are classifying TCP as a ULP in this instance? As I understand it TCP attempts to provide protection against packet injection attacks and does not allow its ULP any discretion,
while UDP simply passes the packet upward and places the onus on its ULP to detect injected bogus packets in the UDP exchange.


regards,

  Geoff