"Jonathan M. Bresler" <jmb@kryten.Atinc.COM> writes: >On Tue, 24 Jan 1995, Jim Duncan wrote: > >> > As has been pointed out, only network or >> > transport-level encryption will entirely block these attacks. >> >> That's correct. That and teach people the difference between identification >> and authentication. > > a filtering router is enough to prevent this attack from being >used from "the outside". This is all well and good as long as there is a simple "inside"/"outside" distinction. I am in this happy situation at the moment, and I have a filter between my dept and the main campus which rejects external packets claiming an internal src IP address. HOWEVER, I am likely to come under political pressure soon to allow R-protocol, NFS, etc to a machine on the other side of this filter. At which point my filter is virtually useless. So I think its true to say that as a generalisation, encryption *is* the only way to block attacks. Dave. * David Mitchell, Systems Administrator, email: D.Mitchell@dcs.shef.ac.uk * Dept. Computer Science, Sheffield Uni. phone: +44 114-282-5573 * 211 Portobello St, Sheffield S1 4DP, UK. fax: +44 114-278-0972 * * Standards (n). Battle insignia or tribal totems