[e2e] 100% NAT - a DoS proof internet

Jon Crowcroft Jon.Crowcroft at cl.cam.ac.uk
Tue Feb 14 04:13:31 PST 2006


In missive <1139916184.27853.32.camel at firenze.zurich.ibm.com>, Jeroen Massar ty
ped:

 >>>  >>If you want to protect against address scans then move to IPv6 :)
 >>>  >>(though one infected box and they have the local subnet)

 >>> I use a MAC _ it uses IPv6 by default if its there -=20
 >>> problem is the ISPs dont :-(
 >>> your move.
 
 >>A very easy move: http://www.sixxs.net or google("10 steps ipv6")
 >>(Chess, mate ;)

i can use ipv6 yes, but it aint end to end is my point - until it is,
it doesn't provide as solid an approach as I'd like - but it is a
start
 
 >>Seeing that your mail address is based in the ac.uk part, you might want
 >>to check even things closer to you. There are 2 ac.uk based brokers at:
 >>http://www.sixxs.net/tools/aiccu/brokers/ which also lists a large
 >>number of other places to get connectivity from. In the ac.uk area most
 >>likely Tim Chown is able to tell you quite well where to get good
 >>quality connectivity from.

gosh, i was involved in ipv6 design too - i am a fan...!!!
 
 >>If you need any help in getting IPv6 set up and running don't hesitate
 >>to ask. No firewall or other blocking mechanism has kept me from getting
 >>IPv6 connectivity ;)

but it aint end2end coz no tier1 runs it in th core....
 
 >>>  >>Also, the target of the DoS will just shift with your idea, from the
 >>>  >>end-host to the NAT box that is 'protecting' it. Which in turn make it
 >>>  >>actually harder to work against these attacks. Just read up on some of
 >>>  >>the timelines about attacks against IRC servers. First the targetted t=
 >>he
 >>>  >>irc servers themselves, after that they started dos'sing the links,
 >>>  >>which simply means they will kill of the routers in between the user a=
 >>nd
 >>>  >>the server..
 
 >>> saying dont defend against X because everyone will move to attacking Y
 >>> is bogus.
 >>
 >>It's 'bogus' because? I just noted that the attack will move to another
 >>place and in many cases it will be a place which is harder to defend.
 >>Keeping it simple is then better ;)
 
not if the current DOS attacks are a problem - and they are!
plus enforcement or other places may be easier to defend (e.g. no
legacy software there) for exampl,e so you can't just say 
"it moves elsewhere" - by your own argument, you have to show that "it
moves elswhere to somewhere harder, not easier, to defend".

 >>>  >>There is no real magic bullet. Law and especially enforcement is one o=
 >>f
 >>>  >>the few things that might help a bit, but that is not something we mig=
 >>ht
 >>>  >>want to see from the e2e point of view.
 >>>=20
 >>> gosh, we have law already and its working so well isnt it:)
 
 >>Note the 'especially' in that sentence, the enforcement is not there and
 >>if it was it would be made corrupt next to limitting freedom which is
 >>not what is wanted either. But that is politics, not technicallities and
 >>I don't like the first ;)

sure - see my _original_ mesage - it has links to a LOT of work we do
on this PLUS on politics and regulation.
 
 >>> i didnt say this was a magic bullet - i said it was an idea for
 >>> defending against a specific problem. yes there are many problems and
 >>> the design space for solutions is multi-faceted.
 
 >>> security people love to attack things - i disdain that- i like to
 >>> defend things:)
 >>
 >>But having to build defense upon defense, which is what you want to do
 >>by shifting the problem, is certainly not going to help. It will end up
 >>in a walled garden with mostly walls and not garden. It will keep you
 >>defending but I am pretty sure you'd rather sit on a lazy couch or do
 >>something else than keeping an eye out all the time. Of course from a
 >>research/work perspective it is fun but is it worth the effort? Better
 >>have something really good which can't be broken/circumvented too
 >>easily. In this problem space though, having legit traffic already
 >>breaks most of the solutions. But keep ideas coming of course, it might
 >>be that something gives somebody a great idea which does solve a large
 >>part of the problem. I am unfortunately quite a bit on the pessimistic
 >>side when it comes to (d)dos solvers, could be because of the amounts of
 >>traffic I have seen coming in after some 14 year old didn't get what he
 >>wanted and forgot to stop that part of the botnet when his mom called
 >>for dinner...

indeed - this is a VERY important point
with wich i can agree

my proposal isn't a solution - its a thinking point and I agree it
does potentially create walled gardens which is (i think) your best
objection to it!

cheers
j. 


More information about the end2end-interest mailing list