On Fri, 16 Apr 2004, Paul Vixie wrote:
preventing DDoS and IP source address forgery each also break what the IAB calls "the end-to-end model".
How so?
I was thinking of RFC 1958:
An end-to-end protocol design should not rely on the maintenance of state (i.e. information about the state of the end-to-end communication) inside the network.
While this is given as an argument in favour of datagrams (vs. circuits) as the best transport model, any stateful NAT or firewall violates it, any router or loadbalancer flow-quota violates it, and pretty much anything that can be done to protect against DDoS violates it.
"Protect" is an absolute term. Do you mean, "eliminate completely"? That is obviously an impossibility with or without state-based mechanisms. On the other hand, we've had DDoS prevention mechanisms (based on multiple rate-limiters, for different kinds of packets) deployed for over 6 months now. They seem to work just fine, are always active, and require no state in the network. The biggest problem is obviously ensuring that the rate-limiter does not starve (too badly) the legitimate users of the same class. Having multiple classes helps with that, but will likely be less effective when the attackers get smarter to choose attacks which are indistinguishable from mainstream applications. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings