Re: [Nea] Re: WG Review: Network Endpoint Assessment (nea)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Andy Bierman wrote:
> I don't agree that this is low-hanging fruit.
> The server component of this system seems like a wonderful
> new target for DDoS and masquerade attacks.
Well, first of all I don't see why this is any different than a radius
server.  In fact it could be that the access box forwards information in
a very similar way.  But let's say that it doesn't work that way just
for yucks.  Another approach is that the clients themselves must have a
server on them and the queries go the other way.  In this case the
server need only check either a source address or a transaction ID. 
Furthermore, there is no reason for clients outside of that AS to have
access to that server, so it's a good candidate for an ACL.  Of course
this creates a risk of attack on the clients themselves, which brings me
to one of my greater concerns:

In many of the mechanisms that communicate between client and network we
are not finding good ways to prove the legitimacy of the service to the
client.  This is an area that perhaps it would be good to get the IRTF
to work on.

Eliot

_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]