[openib-general] RE: [dat-discussions] round 2 - proposal for socket based connection model
Caitlin Bestler
caitlinb at broadcom.com
Tue Oct 25 11:23:34 PDT 2005
> -----Original Message-----
> From: Tom Tucker [mailto:tom at opengridcomputing.com]
> Sent: Tuesday, October 25, 2005 11:13 AM
> To: Caitlin Bestler
> Cc: Sean Hefty; Kanevsky, Arkady; swg at infinibandta.org; DAT
> Collaborative; openib-general at openib.org
> Subject: RE: [openib-general] RE: [dat-discussions] round 2 -
> proposal for socket based connection model
>
> On Tue, 2005-10-25 at 10:51 -0700, Caitlin Bestler wrote:
> >
> >
> > >
> > > I believe that the assurances you are talking about are
> peculiar to
> > > an implementation, not to the network.
> > >
> >
> > I disagree. Anytime you send an IP datagram on an IP
> network you are
> > expected to provide an authentic source address. Any intermediate
> > network device MAY enforce that rule and drop packets with invalid
> > source addresses.
> >
>
> I don't see anything in the protocol specs (RFC 791, RFC 793,
> ...) that talks about this, so we just have to agree to disagree. :-)
>
Joe Touch's current draft on spoofing prevention covers this well
in Section 3.2 (draft-ietf-tcpm-tcp-antispoof-02). IP networks can
prevent address spoofing at the network layer using IPSec or by
having border routers/filters validate the source address of incoming
packets against routing rules.
The latter is covered in RFC 2827 "Ingress Filtering for Multihomed
Networks" and RFC 2267 "Network Ingress Ingress Filtering: Defeating
Denial of Service Attacks which employ IP Address Spoofing"
And more generally, in a TCP network a non-privileged client is NOT
allowed to bind to any address and is NOT allowed to send raw Ethernet
to bypass the host stack.
More information about the general
mailing list