Re: comment on unmanaged analysis presentation/doc

[Keith Moore <moore@cs.utk.edu>]

> While such a scheme might work for protocol 41 packets, I don't
> see how it can be made to work for other tunnels, especially encrypted
> tunnels.

there's no way to deal with xxx-to-host encrypted tunnels except to
have the host do the filtering.  that doesn't mean ingress filtering
isn't useful, just that it can't prevent all threats.  but we already
knew that.

> Thus I think a simpler and more general approach is to require that nodes
> only decapsulate packets when they trust the sender.

one problem is, the node really doesn't know who the "sender" is - it 
only knows the source address.  another problem is, the reason that
sites implement ingress filtering in the first place is that they don't
trust the nodes to filter or ignore those packets - perhaps because
they lack adequate means of communicating policy to those nodes and
ensuring that the nodes enforce that policy.

Keith

p.s. another idea that might be worth exploring is to have 
relay-routers and address-translators embed the original source 
address in the packet in a way that won't interfere with the processing 
of the payload but still preserves trace information - say as an IP 
option.  I realize that there are serious penalties with use of IP 
options - in particular causing routers to do "slow path" processing - 
but perhaps somebody knows another way to embed that information in
packets or a way to use IP options that doesn't cause such problems.