nanog mailing list archives

Re: IPv6, IPSEC and DoS

From: Todd Vierling <tv () duh org>
Date: Mon, 3 Jan 2005 16:59:10 -0500 (EST)


On Mon, 3 Jan 2005, Sean Donelan wrote:

Not necessarily.  Some public networks are moving away from the ask
everyone the question, anyone can answer model. It cuts down on the
chatter, and the spoofing.  That doesn't mean you have to go to a static
provisioning model, but it does mean you have to think harder about what
you trust, what asks the questions and what answers the questions.


One example is the typical cable modem provider.  A DOCSIS modem is
provisioned with a MAC address known to the telco, and effectively creates a
virtual "port" on a huge switch^Whub with the modem's MAC as the port
identifier.

The MAC of the device behind the virtual port is then provisioned using some
sort of interface that detects and stores that MAC address as associated
with the modem.  At that point it's easy to automate the process and allow
packets from known MAC addresses through only their associated virtual
ports.

-- 
-- Todd Vierling <tv () duh org> <tv () pobox com>

Current thread:

Re: IPv6, IPSEC and DoS, (continued)
- - Re: IPv6, IPSEC and DoS Valdis . Kletnieks (Jan 01)
    - Re: IPv6, IPSEC and DoS Iljitsch van Beijnum (Jan 02)
    - Re: IPv6, IPSEC and DoS Valdis . Kletnieks (Jan 02)
- Re: IPv6, IPSEC and DoS J. Oquendo (Jan 03)
  - Re: IPv6, IPSEC and DoS Iljitsch van Beijnum (Jan 03)
    - Re: IPv6, IPSEC and DoS David Barak (Jan 03)
    - Re: IPv6, IPSEC and DoS Joe Abley (Jan 03)
    - Re: IPv6, IPSEC and DoS David Barak (Jan 03)
    - Re: IPv6, IPSEC and DoS Christopher L. Morrow (Jan 03)
    - Re: IPv6, IPSEC and DoS Sean Donelan (Jan 03)
    - Re: IPv6, IPSEC and DoS Todd Vierling (Jan 03)