[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: draft-ietf-opsec-infrastructure-security-01 - InfrastructureHiding

To: bgreene@cisco.com
Subject: RE: draft-ietf-opsec-infrastructure-security-01 - InfrastructureHiding
From: "Fergie" <fergdawg@netzero.net>
Date: Fri, 4 May 2007 18:38:23 GMT
Cc: pekkas@netcore.fi, Donald.Smith@qwest.com, trall@almaden.ibm.com, opsec@ops.ietf.org, fred@cisco.com, sava@nrc.tsinghua.edu.cn

-- "Barry Greene \(bgreene\)" <bgreene@cisco.com> wrote:

>> Speaking of BCP38, I do hope you all saw this:
>> 
>>  
>> http://www.ripe.net/ripe/maillists/archives/spoofing-tf/2007/m
>> sg00000.html
>
>Speaking of BCP38++, read through the document. You can see the reasons
>why "source checks" on the ingress of a SP's network need to go beyond
>the IP address. DSCP and MAC are both known checks.

Indeed -- I believe that is mentioned in:

 http://tools.ietf.org/id/draft-baker-sava-simple-00.txt

...although, I think Fred has a different version eslewhere
(I can't find the URL right now). 

In any event, while I think that MAC-level/IP address bindings
are fine tools for source-address validation mechanisms at the
layer 2 'first-hop', I think it might be out scope for SAVA.

But are probably just fine for ietf-opsec stuff. :-)

Also, any marking on a packet, such as DSCP bits, don't have
solid transitive value, IMO -- they can be arbitrarily remarked.

- ferg

--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/

Prev by Date: RE: draft-ietf-opsec-infrastructure-security-01 - InfrastructureHiding
Next by Date: RE: draft-ietf-opsec-infrastructure-security-01 - InfrastructureHiding
Previous by thread: RE: draft-ietf-opsec-infrastructure-security-01 - InfrastructureHiding
Index(es):
- Date
- Thread