At 12:01 PM 10/13/04 +0200, Iljitsch van Beijnum wrote:
Trusting the source when it says that its packets aren't evil might be sub-optimal. Evaluation of evilness is best left up to the receiver.
Likely true. Next question is whether the receiver can really determine that in real time. For some things, yes, but for many things it is not as obvious to me.
Correct me if I'm wrong here, but my interpretation of this suggestion was not that we should trust the source to mark packets but that we should trust our peers to mark packets. This seems to be something that is workable since most people have a manageable number of peers. Presumably each peer could mark the traffic based on what they know about their customer's network. If a customer follows all best practices, they mark it with the non-evil bit, otherwise not. If truly evil traffic is coming in from a peer, then one could apply mitigating actions only to traffic that is not marked non-evil, either blackholing it all or diverting it to a router that will perform complex filtering or heavily rate limiting it. It seems to me that really addressing DDOS, botnets, etc., requires network operators to agree on some sort of common coordinated action and using a network protocol to communicate about this coordinated action would be very useful. This doesn't mean that the non-evil bit is the only way, but the idea of network operators marking traffic in some way to indicate their level of confidence in its normality seems to be worth pursuing. It seems to be the natural progression of projects like the selection found at cymru.com. --Michael Dillon