[27390] in North American Network Operators' Group
Re: !white.house, !panacea, new traceback paper from stefan savage
daemon@ATHENA.MIT.EDU (John Hawkinson)
Tue Feb 15 11:38:56 2000
Date: Tue, 15 Feb 2000 10:33:54 -0500
From: John Hawkinson <jhawk@bbnplanet.com>
To: "Forrest W. Christian" <forrestc@iMach.com>
Cc: nanog@merit.edu, coral-dev@caida.org
Message-ID: <20000215103354.U19709@jhawk-foo.bbnplanet.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <Pine.BSF.4.21.0002142219570.13239-100000@workhorse.iMach.com>; from forrestc@iMach.com on Mon, Feb 14, 2000 at 10:22:17PM -0700
Errors-To: owner-nanog-outgoing@merit.edu
> > new relevant paper worth checking out by stefan savage et al
> >
> > http://www.cs.washington.edu/homes/savage/traceback.html
>
> This is definately a must read.
I'd concur.
> The idea is to mark packets with path information so that after you have
> recieved enough packets from a given source you can determine all of the
> routers it passed through.
It's important to state the operational impact here, which the paper
doesn't do very clearly in the abstract or the front matter, and I think
that's suboptimal structuring -- marking the packets is done by
placing localtional information in the ip_id field of the packet.
Quoting from my response to the authors and my inquiry cisco about
implementation feasability:
a) I don't like it because I must be the sole person (ok, ok, blatant
exaggeration) in the universe who likes to use the ip_id field of ip
packets as a debugging key when looking at packet traces; ip_id is
typically monotonically increasing and a great way to check duplicates,
etc., etc.
b) It marks packets and marking packets is Bad and reduces the
cleanliness of the model.
c) Nevertheless, it seems like this could be an incredibly valuable tool
for doing tracebacks, and despite the recent focus of the community on
distributed denial-of-service attacks, the ability to do this sort of
traceback between multiple providers without involving provider personnel
in each "AS island" is much-needed.
d) I think that c) almost certainly outweighs b) and a) in terms of
operational necessity.
e) There exists an argument that states that even with distributed
denial of service attacks the ability to trace individual ones remains
quite valuable. I don't want to go into it here right now.
I also suggest 2 minor modifications to the model:
i) Triggering this behavior off of a bgp community (opt-in and opt-out
variants.
ii) Allowing last-hop routers to collect this information instead of merely
allowing the targetted hosts to collect it.
--jhawk
