[32129] in North American Network Operators' Group
Re: Defeating DoS Attacks Through Accountability
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Sat Nov 11 22:50:53 2000
Message-Id: <200011120348.eAC3mrw23276@black-ice.cc.vt.edu>
To: Mark Mentovai <mark-list@mentovai.com>
Cc: Mark Prior <mrp@connect.com.au>,
Simon Lyall <simon.lyall@ihug.co.nz>, nanog@merit.edu
In-Reply-To: Your message of "Sat, 11 Nov 2000 11:27:20 EST."
<Pine.GSO.4.21.0011111117040.11441-100000@pine.ggn.net>
From: Valdis.Kletnieks@vt.edu
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="==_Exmh_2117004048P";
micalg=pgp-sha1; protocol="application/pgp-signature"
Content-Transfer-Encoding: 7bit
Date: Sat, 11 Nov 2000 22:48:52 -0500
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_2117004048P
Content-Type: text/plain; charset=us-ascii
On Sat, 11 Nov 2000 11:27:20 EST, Mark Mentovai said:
> Not so fast, there are situations when you are authorized to have a certain
> chunk of address space but elect not to advertise it a certain way for
> whatever reason. Maybe someone has a pipe that they want to use for
> outbound traffic only and they don't want to use it at all inbound traffic,
> and as a result, they don't advertise their routes across it. What
> justification do you use for dropping traffic that falls into this category?
It's a general principle.
Anyhow, they're going to get damned little inbound traffic unless they
announce a route for it to *someplace*. I think the original *general*
policy was "If we don't have ANY route for it, we don't accept the traffic",
which sort of makes sense - how would you get through a TCP 3-way handshake
if the SYN+ACK always got back a ICMP Host Unreachable? I saw no requirement
that the routing not be assymetric, only that routing exist.
I'm sure Mark Prior will correct me if I mis-read him... ;)
--
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech
--==_Exmh_2117004048P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Exmh version 2.2 06/16/2000
iQA/AwUBOg4TJHAt5Vm009ewEQJgugCfdm2+ZWG0Lr12d2RPPLdoNYzuiNQAoK5i
jBoHlWNsT16tNADDAwggnxAC
=Tg8x
-----END PGP SIGNATURE-----
--==_Exmh_2117004048P--
