Re: Internet SYN Flooding, spoofing attacks

> I think we recognize this may be politically infeasable for many
> people to do, because tunneling is often used to circumvent
> administrative restrictions, but that really is a different degree of
> the problem.
Bingo. I tunnel because my cable modem provider requires residential
users to use DHCP to get IP addresses that can change at any time.  If
you want a static IP address, or additional IP addresses, you must pay
a considerable premium.

It's not because fixed addresses actually cost them more. Indeed,
another cable modem provider in the other part of town allocates fixed
addresses in an otherwise identical service that's $5/mo cheaper. No,
my provider does it simply because they can. They're a monopoly in
their service area.  Even if I could find somebody at their help desk
who understood a request to open up their filter to my own IP addresses,
they would have no incentive to do so.

This all boils down to a basic issue of who controls the Internet
address space -- the users, or the monopolies who have long controlled
the Internet's underlying transmission media and who are now moving up
the stack to aggressively control the IP layer and are imposing
restrictions on the content of their user's traffic.

Fortunately, secure tunneling protocols will always make it possible
for knowledgeable users to overcome these administrative restrictions
and to keep the carriers down at the physical level where they belong,
albeit with a loss in efficiency.

The question, then, is not whether users will be able to send packets
with arbitrary source addresses. They will. The question is whether we
get rid of the inefficiencies associated with a failed attempt to keep
them from doing so, and redirect our energies to better alternatives
for dealing with denial of service attacks.

Phil