[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: comment on unmanaged analysis presentation/doc



> one problem is, the node really doesn't know who the "sender" is - it 
> only knows the source address.  

Correct.
But, if there is X amount of ingress filtering between the sender
and the node that establishes some amount of relationship between the
sender and the source address.
Thus relying on the source address is better than running an open
decapsulator, since in the case when ingress filtering is used (even
if the ingress filtering is far from perfect) the use of tunneling
doesn't make ingress filtering less effective.

> another problem is, the reason that
> sites implement ingress filtering in the first place is that they don't
> trust the nodes to filter or ignore those packets - perhaps because
> they lack adequate means of communicating policy to those nodes and
> ensuring that the nodes enforce that policy.

I don't follow. The receiving nodes can do any reasonable filtering since
what matters in this case is trying to weed out folks that forge the source
address, and the receiving node doesn't know from where in the topology
the packet was sent.

  Erik