RE: [Fwd: [Saad] Some initiating thoughts...]

To: "Erik Nordmark" <Erik.Nordmark@sun.com>, "James Kempf" <kempf@docomolabs-usa.com>
Subject: RE: [Fwd: [Saad] Some initiating thoughts...]
From: "Harrington, David" <dbh@enterasys.com>
Date: Thu, 23 Oct 2003 09:50:47 -0400
Cc: "Leslie Daigle" <leslie@thinkingcat.com>, <saad@ietf.org>, <M.Handley@cs.ucl.ac.uk>
List-help: <mailto:saad-request@ietf.org?subject=help>
List-id: Scope Addressing Architecture Discussion <saad.ietf.org>
List-post: <mailto:saad@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/saad>,<mailto:saad-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/saad>,<mailto:saad-request@ietf.org?subject=unsubscribe>
Sender: saad-admin@ietf.org
Thread-index: AcOZWgLieC5eOmWLSROJjK0NMbolWgAETkvg
Thread-topic: [Fwd: [Saad] Some initiating thoughts...]

Hi Erik,

Typically, a DoS attack will be sourced from a host. Having the host be
responsible for advising the network how to prioritize packets is akin
to locking the henhouse to prevent fox attacks and then giving the fox
the key.

I believe the right place to apply policy is in the access switch. The
operators should know what types of traffic are likely to be generated
by the host, based on the role of the host in the organization, and can
preset policies to prioritize the desirable traffic. To handle mobility,
and finer-grained role-based policies, the operator can base the
expected traffic and priorities on the user's identity, qualified by
location and other factors.

dbh

> -----Original Message-----
> From: Erik Nordmark [mailto:Erik.Nordmark@sun.com] 
> Sent: Thursday, October 23, 2003 7:37 AM
> To: James Kempf
> Cc: Erik Nordmark; Leslie Daigle; saad@ietf.org; 
> M.Handley@cs.ucl.ac.uk
> Subject: Re: [Fwd: [Saad] Some initiating thoughts...]
> 
> 
> > But much of the appeal for firewalls (and some people 
> extend this to limited
> > scope addressing, but I'm not sure if the extension is 
> really necessary)
> > lies in their ability to limit DoS attacks. DoS attacks are 
> essentially
> > attacks on a network and I have some trouble seeing how end 
> to end security
> > between two devices can limit a DoS attack. Maybe I am 
> missing something,
> > however.
> 
> Yep - end2end security isn't sufficient if you have a wide range of
> network bandwidth (and too some extent also CPU capacity to deal
> with network packets) across the network.
> 
> Some approaches to deal with DoS is thus needed.
> 
> I don't know if anybody is working on host-assisted approaches.
> I can imagine interesting approaches like hosts on slow links sending 
> "priority lists" upstream (to specify the relative priority 
> of packets - 
> based on a class description - that are destined towards the 
> host) as one
> way of being able to cope with DoS flooding attacks.
> 
>   Erik
> 
> 
> _______________________________________________
> Saad mailing list
> Saad@ietf.org
> https://www1.ietf.org/mailman/listinfo/saad
> 

_______________________________________________
Saad mailing list
Saad@ietf.org
https://www1.ietf.org/mailman/listinfo/saad

Follow-Ups:
- RE: [Fwd: [Saad] Some initiating thoughts...]
  - From: Erik Nordmark <Erik.Nordmark@sun.com>
- Re: [Fwd: [Saad] Some initiating thoughts...]
  - From: Melinda Shore <mshore@cisco.com>

Prev by Date: Re: [Fwd: [Saad] Some initiating thoughts...]
Next by Date: Re: [Fwd: [Saad] Some initiating thoughts...]
Previous by thread: Re: [Fwd: [Saad] Some initiating thoughts...]
Next by thread: Re: [Fwd: [Saad] Some initiating thoughts...]
Index(es):
- Date
- Thread

RE: [Fwd: [Saad] Some initiating thoughts...]

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.