To complement my other reply, the reason it is called source address
validation, as I understand it, is because the operation being performed
is that of validating that the source address of an incoming packet
falls within an appropriate prefix. That operation is what protects
from source address spoofing. For the primary work of this WG, what we
are concerned with is providing the prefix information to use in that
validation step. (There is an inter-domain idea involving marking
packets. That is very different, and will need its own problem /
requirements / security & privacy analysis.)
It does sound like the charter could be clearer about this. Suggestions
for wording would help.
Yours,
Joel
On 6/3/2022 4:47 PM, Stephen Farrell wrote:
Hi Joel,
On 03/06/2022 21:38, Joel Halpern wrote:
While working groups can do all sorts of things, the expected results
of this work would be a new or extended mechanisms for routers to
tell other routers what address prefixes
Clarifying question: if prefixes are what are being validated
why does the name mention addresses and the text "current SAV
mechanisms" (where A==address presumably)?
Ta,
S.
they will be using as source address for packets they will be
forwarding. These are not the individual addresses of users. And,
conversely, this is exactly the information one needs to perform
source address spoof prevention. (Whether the proposed / expected
mechanisms will actually provide improved information is part of what
has to be determined.)
Further, we have specified that the problem and requirements will be
spelled out before any solutions are examined by the working group.
So we can confirm that there is indeed a problem to solve.
This is not "extend SAVI individual host registrations into ISPs." I
have no problem including privacy in the analysis. But I am much less
concerned than I was (and yes Stephen, I did take your concerns
seriously) when we did the SAVI work.
Yours,
Joel
