[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Minutes / Notes
On Mon, 21 Jul 2003, Pekka Nikander wrote:
> > | The ability to return packets without much overhead, such
> > | as an ICMP error or
> > | a TCP SYN, might be important to avoid a class of DoS
> > | attacks om routers.
> > Important, yes, but not because of DoS effects. Just simple
> > rate-of-return arguments suggest that routers will do a better
> > "best effort" job of returning errors if they don't have to jump
> > through hoops. And unlike hosts, the router cannot maintain an
> > effective cache of all of the sources that might send it erroneous
> > packets.
> Recording a route in a packet, if designed right, allows error
> messages to be returned to the source. Recording a route has
> the additional benefit that the information is always right.
> You don't need to configure your ingress filters. Since the
> routers record the path to the field, you know exactly the path
> the packet took.
> There are engineering challenges, though, and it may be
> impractical to implement it.
Yes, and remember the how spammers got to forging the SMTP Received:
headers. You really can't trust the recorded route: it may have any
number of forged "bogus" entries. However, at least a part of that trail
is always valid -- it's just impossible to tell how big a part.
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings