[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPv6 RH (was Re: SPD issues)

 In your previous mail you wrote:

   >Perhaps, the decision should be made if either the destination IP or 
   >any RH next-hop IP are matching the selector?
=> it should be the IP address in the destination field of the IP header
when the policy is evaluated.
   We did overlook this in 2401, and we ought to be more precise in 2401bis.
   The IPv6 destination is what I expect folks would use for selector 
   checking, for both outbound and inbound traffic.
=> I agree. In fact, this is part of the multi-protocol selector issue
(which we decided against) as RHs are extension headers.

   We might add a flag that explicitly disallows traffic with routing 
   headers, as a local admin control for SPD entries.  In the IPv4 case, 
   we could to do the same  re the source route option.
   What do folks think?
=> I don't believe this is a good idea because it is the first step towards
the transformation of SPD entries into firewall rules, i.e., someone can
propose this in his implementation but this should not be in the standard.