[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: I-D ACTION:draft-nordmark-multi6dt-shim-00.txt
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 2004-11-03, at 22.55, Geoff Huston wrote:
> At 06:11 PM 3/11/2004, Kurt Erik Lindqvist wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>> On 2004-11-03, at 01.28, Erik Nordmark wrote:
>>
>> > If a host wants to prevent packet injection attacks today (such as
>> > spoofed RCP RST packets, if it wants to prevent it from all nodes
>> and
>> > not depend on ingress filtering, wouldn't it use IPsec?
>>
>> That would have to be a must. I can't see anyone building a trust
>> model
>> based on (the non-existing) ingress filtering. That said, I think most
>> protection against packet injection attacks on todays Internet is
>> actually left to ULPs.
>
> I take it that you are classifying TCP as a ULP in this instance?
Yes.
> As I understand it TCP attempts to provide protection against packet
> injection attacks and does not allow its ULP any discretion,
> while UDP simply passes the packet upward and places the onus on its
> ULP to detect injected bogus packets in the UDP exchange.
Agreed. I simply meant "something above IP" with ULP...
- - kurtis -
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBQY0LyaarNKXTPFCVEQJh5QCfYNn3Wii1H/PV4mEyWHB6xOM48a8An3ex
9HwKz/uVD0y2e7KYQ4/gDCN+
=g/Nq
-----END PGP SIGNATURE-----