Re: [Fwd: [Saad] Some initiating thoughts...]

Erik Nordmark <Erik.Nordmark@sun.com> Thu, 23 October 2003 11:37 UTC

Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA13829 for <saad-archive@odin.ietf.org>; Thu, 23 Oct 2003 07:37:31 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1ACdm9-0002QW-QT for saad-archive@odin.ietf.org; Thu, 23 Oct 2003 07:37:10 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id h9NBb9eZ009328 for saad-archive@odin.ietf.org; Thu, 23 Oct 2003 07:37:09 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1ACdm8-0002Ps-4U for saad-web-archive@optimus.ietf.org; Thu, 23 Oct 2003 07:37:08 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA13812 for <saad-web-archive@ietf.org>; Thu, 23 Oct 2003 07:36:59 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1ACdm7-0005kw-00 for saad-web-archive@ietf.org; Thu, 23 Oct 2003 07:37:07 -0400
Received: from ietf.org ([132.151.1.19] helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 1ACdm7-0005kt-00 for saad-web-archive@ietf.org; Thu, 23 Oct 2003 07:37:07 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1ACdm3-0002O2-H0; Thu, 23 Oct 2003 07:37:03 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1ACdlx-0002MW-73 for saad@optimus.ietf.org; Thu, 23 Oct 2003 07:36:57 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA13803 for <saad@ietf.org>; Thu, 23 Oct 2003 07:36:47 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1ACdlw-0005kc-00 for saad@ietf.org; Thu, 23 Oct 2003 07:36:56 -0400
Received: from brmea-mail-3.sun.com ([192.18.98.34]) by ietf-mx with esmtp (Exim 4.12) id 1ACdlv-0005kZ-00 for saad@ietf.org; Thu, 23 Oct 2003 07:36:55 -0400
Received: from bebop.France.Sun.COM ([129.157.174.15]) by brmea-mail-3.sun.com (8.12.10/8.12.9) with ESMTP id h9NBan5u027009; Thu, 23 Oct 2003 05:36:50 -0600 (MDT)
Received: from lillen (lillen [129.157.212.23]) by bebop.France.Sun.COM (8.11.7+Sun/8.10.2/ENSMAIL,v2.2) with SMTP id h9NBamS27567; Thu, 23 Oct 2003 13:36:49 +0200 (MEST)
Date: Thu, 23 Oct 2003 13:36:46 +0200 (CEST)
From: Erik Nordmark <Erik.Nordmark@sun.com>
Reply-To: Erik Nordmark <Erik.Nordmark@sun.com>
Subject: Re: [Fwd: [Saad] Some initiating thoughts...]
To: James Kempf <kempf@docomolabs-usa.com>
Cc: Erik Nordmark <Erik.Nordmark@sun.com>, Leslie Daigle <leslie@thinkingcat.com>, saad@ietf.org, M.Handley@cs.ucl.ac.uk
In-Reply-To: "Your message with ID" <017a01c398e7$ff74d520$2a6015ac@dclkempt40>
Message-ID: <Roam.SIMC.2.0.6.1066909006.21069.nordmark@bebop.france>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Sender: saad-admin@ietf.org
Errors-To: saad-admin@ietf.org
X-BeenThere: saad@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/saad>, <mailto:saad-request@ietf.org?subject=unsubscribe>
List-Id: Scope Addressing Architecture Discussion <saad.ietf.org>
List-Post: <mailto:saad@ietf.org>
List-Help: <mailto:saad-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/saad>, <mailto:saad-request@ietf.org?subject=subscribe>

> But much of the appeal for firewalls (and some people extend this to limited
> scope addressing, but I'm not sure if the extension is really necessary)
> lies in their ability to limit DoS attacks. DoS attacks are essentially
> attacks on a network and I have some trouble seeing how end to end security
> between two devices can limit a DoS attack. Maybe I am missing something,
> however.

Yep - end2end security isn't sufficient if you have a wide range of
network bandwidth (and too some extent also CPU capacity to deal
with network packets) across the network.

Some approaches to deal with DoS is thus needed.

I don't know if anybody is working on host-assisted approaches.
I can imagine interesting approaches like hosts on slow links sending 
"priority lists" upstream (to specify the relative priority of packets - 
based on a class description - that are destined towards the host) as one
way of being able to cope with DoS flooding attacks.

  Erik


_______________________________________________
Saad mailing list
Saad@ietf.org
https://www1.ietf.org/mailman/listinfo/saad