Paul,
I object to the characterization of my comments as "propagating FUD."
One might equally well suggest that 2267 constitutes a naive model of
how to prevent IP spoofing, but I was polite enough not to say that
:-).
From a security perspective, it is never desirable to rely on a
mechanism that assumes that everyone else does "the right thing."
When one suggests that a first tier ISP would not need to filter
traffic from down stream providers, because IF they do the filtering,
then the problem will not arise via those links, one is suggesting
precisely this sort of model.
Edge filtering would often be helpful, but it is not a panacea, as
pointed out by others in regard to the current set of attacks, nor is
the performance impact trivial with most current routers. Because
most routers are optimized for transit traffic forwarding, the
ability to filter on the interface cards is limited, as I'm sure you
know. Also, several of the distributed DoS attacks we are seeing do
not use fake source addresses from other sites, so simple filtering
of the sort proposed in 2267 would not be effective in these cases.
Finally, I am aware of new routers for which this sort of filtering
would be child's play, but they are not yet deployed. One ought not
suggest that edge filtering is not being applied simply because of
laziness on the part of ISPs.
Steve
