[e2e] 100% NAT - a DoS proof internet
Jon.Crowcroft at cl.cam.ac.uk
Tue Feb 14 04:13:31 PST 2006
In missive <1139916184.27853.32.camel at firenze.zurich.ibm.com>, Jeroen Massar ty
>>> >>If you want to protect against address scans then move to IPv6 :)
>>> >>(though one infected box and they have the local subnet)
>>> I use a MAC _ it uses IPv6 by default if its there -=20
>>> problem is the ISPs dont :-(
>>> your move.
>>A very easy move: http://www.sixxs.net or google("10 steps ipv6")
>>(Chess, mate ;)
i can use ipv6 yes, but it aint end to end is my point - until it is,
it doesn't provide as solid an approach as I'd like - but it is a
>>Seeing that your mail address is based in the ac.uk part, you might want
>>to check even things closer to you. There are 2 ac.uk based brokers at:
>>http://www.sixxs.net/tools/aiccu/brokers/ which also lists a large
>>number of other places to get connectivity from. In the ac.uk area most
>>likely Tim Chown is able to tell you quite well where to get good
>>quality connectivity from.
gosh, i was involved in ipv6 design too - i am a fan...!!!
>>If you need any help in getting IPv6 set up and running don't hesitate
>>to ask. No firewall or other blocking mechanism has kept me from getting
>>IPv6 connectivity ;)
but it aint end2end coz no tier1 runs it in th core....
>>> >>Also, the target of the DoS will just shift with your idea, from the
>>> >>end-host to the NAT box that is 'protecting' it. Which in turn make it
>>> >>actually harder to work against these attacks. Just read up on some of
>>> >>the timelines about attacks against IRC servers. First the targetted t=
>>> >>irc servers themselves, after that they started dos'sing the links,
>>> >>which simply means they will kill of the routers in between the user a=
>>> >>the server..
>>> saying dont defend against X because everyone will move to attacking Y
>>> is bogus.
>>It's 'bogus' because? I just noted that the attack will move to another
>>place and in many cases it will be a place which is harder to defend.
>>Keeping it simple is then better ;)
not if the current DOS attacks are a problem - and they are!
plus enforcement or other places may be easier to defend (e.g. no
legacy software there) for exampl,e so you can't just say
"it moves elsewhere" - by your own argument, you have to show that "it
moves elswhere to somewhere harder, not easier, to defend".
>>> >>There is no real magic bullet. Law and especially enforcement is one o=
>>> >>the few things that might help a bit, but that is not something we mig=
>>> >>want to see from the e2e point of view.
>>> gosh, we have law already and its working so well isnt it:)
>>Note the 'especially' in that sentence, the enforcement is not there and
>>if it was it would be made corrupt next to limitting freedom which is
>>not what is wanted either. But that is politics, not technicallities and
>>I don't like the first ;)
sure - see my _original_ mesage - it has links to a LOT of work we do
on this PLUS on politics and regulation.
>>> i didnt say this was a magic bullet - i said it was an idea for
>>> defending against a specific problem. yes there are many problems and
>>> the design space for solutions is multi-faceted.
>>> security people love to attack things - i disdain that- i like to
>>> defend things:)
>>But having to build defense upon defense, which is what you want to do
>>by shifting the problem, is certainly not going to help. It will end up
>>in a walled garden with mostly walls and not garden. It will keep you
>>defending but I am pretty sure you'd rather sit on a lazy couch or do
>>something else than keeping an eye out all the time. Of course from a
>>research/work perspective it is fun but is it worth the effort? Better
>>have something really good which can't be broken/circumvented too
>>easily. In this problem space though, having legit traffic already
>>breaks most of the solutions. But keep ideas coming of course, it might
>>be that something gives somebody a great idea which does solve a large
>>part of the problem. I am unfortunately quite a bit on the pessimistic
>>side when it comes to (d)dos solvers, could be because of the amounts of
>>traffic I have seen coming in after some 14 year old didn't get what he
>>wanted and forgot to stop that part of the botnet when his mom called
indeed - this is a VERY important point
with wich i can agree
my proposal isn't a solution - its a thinking point and I agree it
does potentially create walled gardens which is (i think) your best
objection to it!
More information about the end2end-interest