Re: comment on unmanaged analysis presentation/doc

[Keith Moore <moore@cs.utk.edu>]

> > one problem is, the node really doesn't know who the "sender" is - it
> > only knows the source address.
> 
> Correct.
> But, if there is X amount of ingress filtering between the sender
> and the node that establishes some amount of relationship between the
> sender and the source address.

I suspect you mean 'egress filtering' - filtering of packets as they
_leave_ a network to make sure that they have valid source addresses.
Filtering based on source address - whether done at a host or at
a router or firewall only works if 'egress filtering' is widely 
implemented.

> Thus relying on the source address is better than running an open
> decapsulator, since in the case when ingress filtering is used (even
> if the ingress filtering is far from perfect) the use of tunneling
> doesn't make ingress filtering less effective.

I agree that filtering on source address is at least marginally
better than admitting all traffic.  

> > another problem is, the reason that
> > sites implement ingress filtering in the first place is that they don't
> > trust the nodes to filter or ignore those packets - perhaps because
> > they lack adequate means of communicating policy to those nodes and
> > ensuring that the nodes enforce that policy.
> 
> I don't follow. The receiving nodes can do any reasonable filtering since
> what matters in this case is trying to weed out folks that forge the source
> address, and the receiving node doesn't know from where in the topology
> the packet was sent.

neither does the ingress filter.  the same information from the packet
in question is available to either.   the principal difference is that 
the ingress filter allows centralized administration of policy and 
centralized control.

Keith