> From: "Tony Hain" <alh-ietf@tndh.net>
> it may be more convenient to have the border deal with DOS, but is it
> *required* as Noel asserted?
First, there's "good idea", "required", and "*required*". It's *required*
that your computer have a test-and-branch instruction to be a Turing machine.
It's not *required* that it have a jump instruction, but all computers do -
so it're pretty much required in a machine architecture. An example of "good
idea" would be lots of registers - most machines have that, but not all. Etc,
etc.
I never said it was *required* to have some security functions at the border
- merely that it was likely to happen for a variety of reasons (e.g. policy
enforcement in a large organization). I think my meaning was somewhere
between "good idea" and "required" (as defined above) - I don't know exactly
where.
Second, when I made my statement about "security alone demands that we be
able to move some functionality to a 'site border router', or some such", I
was speaking of security stuff in general, not DoS protection in particular.
I think there are different kinds of DoS attacks (I actually created a
taxonomy of DoS attacks for a research effort I'm involved with), and I expect
that different DoS attacks will need different mechanisms to handle them (i.e.
in the most efficient and robust manner - bearing in mind the old adage that
"and engineer is someone who can do for $1 what any fool can do for $5"). I
suspect that some might be at the borders, some might be at the servers - but
that's my intuition.
But DoS is still a very limited corner of "security".
Noel