ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Internet SYN Flooding, spoofing attacks

2000-02-16 21:10:01
from [Robert Elz] [Permanent Link] 
    Date:        Wed, 16 Feb 2000 18:20:43 -0800
    From:        Phil Karn <karn(_at_)ka9q(_dot_)ampr(_dot_)org>
    Message-ID:  
<200002170220(_dot_)SAA06416(_at_)homer(_dot_)ka9q(_dot_)ampr(_dot_)org>

  | Even if I could find somebody at their help desk
  | who understood a request to open up their filter to my own IP addresses,
  | they would have no incentive to do so.

In an earlier message you just told us that ingress filtering would
never become widespread enough to really matter - but it seems to
have managed to trap you...

  | This all boils down to a basic issue of who controls the Internet
  | address space -- the users, or the monopolies who have long controlled

The address space is controlled by the routing system - that's
what the addresses are for.

  | Fortunately, secure tunneling protocols will always make it possible
  | for knowledgeable users to overcome these administrative restrictions
  | and to keep the carriers down at the physical level where they belong,
  | albeit with a loss in efficiency.

Well not always - it is possible to imagine an ISP that only permits
connections via their proxies, and blocks everything else.  They could
even market it as a "premium extra secure internet service - no nasty
packets from outside will ever reach your system" ...

But aside from that nonsense, tunneling is not a problem for ingres
filtering, it isn't defeating it (or not its purpose) at all.
To tunnel, you need a remote tunnel endpoint - and then you can only
send source addresses through the tunnel (and from there to the
universe) with addresses from the remote-endpoint's address range
(assuming ingress filtering is being done there as well).

That's all fine then, you're just acting as if you were a node
at their location (which is the point, more or less), and packets
you send that way are attributed to them, just the same as any
other packet sent from there.

If some site is willing to decapsulate packets from any random source
and forward them, then they take the heat for any packets that are
sent that way.

kre
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Internet SYN Flooding, spoofing attacks, Phil Karn
Next by Date:  Re: Internet SYN Flooding, spoofing attacks, Jon Crowcroft
Previous by Thread:  Re: Internet SYN Flooding, spoofing attacks, Phil Karn
Next by Thread:  Re: Internet SYN Flooding, spoofing attacks, RJ Atkinson
Indexes:  [Date] [Thread] [Top] [All Lists]