"Charles E. Perkins" wrote:
Robert Elz wrote:
There's no good purpose
in sending packets with incorrect source addresses I can think of, and
stopping the practice is the basic intent of the filters.
Mobile IP would like to send out packets with the mobile node's
home address, while it is attached to a network in a foreign
domain. The home address is likely to look "incorrect" from
the standpoint of such a filter.
Mobile IP took advantage of a convenient occurrence of the Internet as
it was, believing all routing would occur based on destination address
only. That is no longer a valid assumption. In response to this changing
world, the Mobile IP folks went back to the drawing board and created
RFC 2344. I suggest folks go implement it. Tunnels are the topologially
correct answer when you're trying to do something like Mobile IP.
Mobile IP also took advantage of directed broadcast in the original
designs, though it is less clear whether anyone actually implemented
using it. See the discussion on this topic in RFC 2644 for more details
on that.
Plus I don't think the gain is worth the pain. I'd rather see
a technology that actually solves the problem instead of swatting
at gnats with a sledge hammer.
Routing based on source and destination address in combination is
already a possible approach for traffic shaping and firewalling
purposes.
What if routers could preferentially keep track of things like SYN
packets and so on for a few seconds, and we had some traceback management
software and security associations with our neighbors enough to do
some automatic detection?
So, you'd prefer to have the routers on the Internet be stateful
devices? Somehow, I thought we really didn't want to go there. There are
known issues with some equipment which does fast switching based on
setting up "flows." A design that several folks have come up with relies
on a general purpose processor to program "flow" information into a
silicon-assisted fabric. Such implementations suffer greatly at the
hands of a DoS attack, where flows are coming in at extremely high rate.
State isn't necessarily the answer.
It might cost 2% more for the memory buffers, geez I don't know.
The memory cost isn't the issue. You're going to pay more for a lot of
ASICs to be doing that operation at wire speed. The work to do what you
suggest adds considerably more complexity than doing filtering at wire
speeds in ASICs (a capability which is available on products shipping
today).
--
-----------------------------------------------------------------
Daniel Senie dts(_at_)senie(_dot_)com
Amaranth Networks Inc. http://www.amaranthnetworks.com