nanog mailing list archives
Re: Lazy network operators
From: Pekka Savola <pekkas () netcore fi>
Date: Fri, 16 Apr 2004 10:42:18 +0300 (EEST)
On Fri, 16 Apr 2004, Paul Vixie wrote:
preventing DDoS and IP source address forgery each also break what the IAB calls "the end-to-end model".How so?I was thinking of RFC 1958: An end-to-end protocol design should not rely on the maintenance of state (i.e. information about the state of the end-to-end communication) inside the network. While this is given as an argument in favour of datagrams (vs. circuits) as the best transport model, any stateful NAT or firewall violates it, any router or loadbalancer flow-quota violates it, and pretty much anything that can be done to protect against DDoS violates it.
"Protect" is an absolute term. Do you mean, "eliminate completely"? That is obviously an impossibility with or without state-based mechanisms. On the other hand, we've had DDoS prevention mechanisms (based on multiple rate-limiters, for different kinds of packets) deployed for over 6 months now. They seem to work just fine, are always active, and require no state in the network. The biggest problem is obviously ensuring that the rate-limiter does not starve (too badly) the legitimate users of the same class. Having multiple classes helps with that, but will likely be less effective when the attackers get smarter to choose attacks which are indistinguishable from mainstream applications. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
Current thread:
- Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT), (continued)
- Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT) Alexei Roudnev (Apr 19)
- Re: Lazy network operators - NOT Paul Vixie (Apr 19)
- Re: Lazy network operators - NOT Sean Donelan (Apr 19)
- Re: Lazy network operators - NOT Matt Hess (Apr 18)
- Re: Lazy network operators - NOT Alexei Roudnev (Apr 18)
- Re: Lazy network operators Michael . Dillon (Apr 14)
- Re: Lazy network operators Joel Jaeggli (Apr 14)
- Re: Lazy network operators Paul Vixie (Apr 14)
- Re: Lazy network operators Iljitsch van Beijnum (Apr 15)
- Re: Lazy network operators Paul Vixie (Apr 15)
- Re: Lazy network operators Pekka Savola (Apr 16)
- Re: Lazy network operators Paul Vixie (Apr 16)
- Re: Lazy network operators Niels Bakker (Apr 16)
- Re: Lazy network operators Iljitsch van Beijnum (Apr 16)
- Re: Lazy network operators Paul Vixie (Apr 16)
- Re: Lazy network operators Petri Helenius (Apr 16)
- Re: Lazy network operators Iljitsch van Beijnum (Apr 16)
- Re: Lazy network operators Petri Helenius (Apr 16)
- Re: Lazy network operators Paul Jakma (Apr 17)
- Re: Lazy network operators Paul Vixie (Apr 17)
- Re: Lazy network operators Kurt Erik Lindqvist (Apr 20)