In
<1101206196(_dot_)8191(_dot_)7553(_dot_)camel(_at_)hades(_dot_)cambridge(_dot_)redhat(_dot_)com>
David Woodhouse <dwmw2(_at_)infradead(_dot_)org> writes:
I've just had a great idea. IP spoofing can be a big problem -- it can
be used to poison DNS caches and hijack TCP sessions, and to cause a
denial of service attack.
IP spoofing can not easily be used to poison DNS caches nor hijack TCP
sessions due to other checks.
IP spoofing can, and is, a big problem with DoS attacks.
We can use the same technique as SPF to address this forgery, though. I
can publish a record which says the MAC address of my Ethernet card or
the phone number I dial from (or whatever's appropriate to my
connection). When someone receives a packet which claims to be from my
IP address, they can check to see if it comes from my MAC address, or my
phone line -- and if it does not, they can discard it because it's a
forgery.
The discussions that I've seen with regard to IP spoof prevention use
checking at AS transitions, which seems much more effective. It is at
the AS/BGP level that you can know if the a packet claiming to be from
a given IP address could be spoofed or not.
Currently the BGP info tells about how to route packets *to* someplace
(equivalent to MX RRs), but not where packets can come *from*
(equivalent to SPF RRs). There are certainly discussions about
changing things, but IP routing is different from the email spoofing,
so things are proceeding differently in that area.
So, yes, this basic concept of publishing information about sources of
IP address and blocking spoofed sources is a good idea, just not the
way you present it.
-wayne