Re: IPv6, IPSEC and DoS

• Previous message: Sean Donelan: "Re: IPv6, IPSEC and DoS"
• Maybe in reply to: Iljitsch van Beijnum: "Re: IPv6, IPSEC and DoS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Mon, 3 Jan 2005, Sean Donelan wrote:

> Not necessarily. Some public networks are moving away from the ask
> everyone the question, anyone can answer model. It cuts down on the
> chatter, and the spoofing. That doesn't mean you have to go to a static
> provisioning model, but it does mean you have to think harder about what
> you trust, what asks the questions and what answers the questions.

One example is the typical cable modem provider. A DOCSIS modem is
provisioned with a MAC address known to the telco, and effectively creates a
virtual "port" on a huge switch^Whub with the modem's MAC as the port
identifier.

The MAC of the device behind the virtual port is then provisioned using some
sort of interface that detects and stores that MAC address as associated
with the modem. At that point it's easy to automate the process and allow
packets from known MAC addresses through only their associated virtual
ports.

-- 
-- Todd Vierling <> <>

• Previous message: Sean Donelan: "Re: IPv6, IPSEC and DoS"
• Maybe in reply to: Iljitsch van Beijnum: "Re: IPv6, IPSEC and DoS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]