Lin - I agree with you that DoS is an unsolved issue that we have yet to tackle. However, I don't think we can solve the issue, for all address configuration methods, simply by changing which packets we snoop. SLAAC in particular is an address configuration method where an attacker can overload a SAVI device just as easily with control packets (i.e., Neighbor Solicitation packets) as with datagram packets. The only scenario in which snooping control packets instead of datagram packets could mitigate the DoS issue is where addresses are exclusively assigned via DHCP. A SAVI device can then exclusively rely on messages being sent by a server (not directly by the attacker), such that a DoS attack against a SAVI device reduces to the existing threat of a DoS attack against a DHCP server. FWIW: Some SAVI participants were considering a DHCP-only option for SAVI during IETF 73. - Christian On Dec 22, 2008, Lin Tao wrote:
Hello, Christian, Marcelo and Frank: I agree with Frank's view. Because the forwarding packet is observed in FCFS draft, so the forwarding process is disrupted, and the device is vulnerable, e.g. savi cache table exhausted, the cpu of switch busy, etc. In my opinion, observing the Control Protocol, e.g. DHCP or ND etc, is easy to implement in switch for these protocol have special characteristic that can be filtered in switch port while the forwarding packet is blocked.
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.