[36194] in North American Network Operators' Group
RE: dsl providers that will route /24
daemon@ATHENA.MIT.EDU (David Schwartz)
Thu Mar 29 21:48:05 2001
From: "David Schwartz" <davids@webmaster.com>
To: <Valdis.Kletnieks@vt.edu>
Cc: "Eric A. Hall" <ehall@ehsco.com>, <nanog@nanog.org>
Date: Thu, 29 Mar 2001 18:40:08 -0800
Message-ID: <NCBBLIEPOCNJOAEKBEAKMEJDOBAA.davids@webmaster.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
In-Reply-To: <200103292320.f2TNKEA13823@foo-bar-baz.cc.vt.edu>
Errors-To: owner-nanog-outgoing@merit.edu
> On Thu, 29 Mar 2001 15:08:24 PST, David Schwartz said:
> > So long as spoofing is possible, you cannot be sure where
> > an attack came
> And spoofing is possible because people don't filter.
No, spoofing is possible because the protocol has no source authentication
capability.
> > from unless you can either log it at its source or trace the
> > stream to its
> > source. That's the problem, and filters don't fix that.
> So we shouldn't filter at the source because we can't fix the
> problem unless we're filtering at the source?
I never said people shouldn't filter. I've always maintained that filters
are a useful tool. Filters just don't solve this particular problem.
> Or are you saying that because seat belts fail 1% of the time, we
> shouldn't use them to help in the other 99% of the crashes?
No. I'm saying that so long as spoofing is possible without detection, you
can never be sure where an attack is really coming from without cooperation
from the source network.
These are real problems, and filtering doesn't solve them.
DS
