[rrg] Fundamental objections to a host-basedscalableroutingsolution
Darrel Lewis (darlewis)
darlewis at cisco.com
Thu Nov 27 10:57:35 PST 2008
>
> |But, the mapping system gives the ETR a means for
> determining the set
> |of RLOCs from which packets that use specific EIDs may originate.
>
>
> Do you seriously think that an ETR is going to verify the
> source EID against the source RLOC?
>
> Even after significant efforts today, we can't get source
> address anti-spoof filtering implemented to a significant extent.
>
>
>
Actually, as a point of fact, we have. We've got 75-80% coverage, based
on studies presented at the *NOG forums. That's significant. It hass
dropped spoofed attacks from 50%+ of total attacks to less than 5% of
total attacks, IIRC. Its MUCH easier today to just own a few tens of
thousands of hosts and not to bother spoofing.
I don't see why we can't enforce anti-spoofing on encap, since it
requires a mapping to be in place. And we can on decap easily where the
traffic is symetrical (that is there is a mapping for the source
RLOC/EID pair.
-Darrel
More information about the rrg
mailing list