[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPv6 RH (was Re: SPD issues)

 In your previous mail you wrote:

   On Mon, 27 Oct 2003, Bill Sommerfeld wrote:
   > > I think this is a bad idea. the local admin should use a firewall
   > > to restrict traffic with routing headers if needed. he shouldnt
   > > use the SPD to do this...
   > Any code which consults the SPD to do policy enforcement can be
   > thought of as a "firewall".
   The SPD *is* a firewall.  One serious flaw of RFC 2401 was that it did not
   make this clear.  The 2401bis draft does (section 2.1, second paragraph). 
=> we should make a distinction between a filtering mechanism and what is
sold as a firewall: Vijay and me share the opinion that the SPD belongs to
the first category and the RH stuff should be done by a device from
the second one. Of course, on a SG which is also a firewall, the SPD can
be extended in order to include plain firewall capabilities (this is better
than to fight against the firewall part :-).