[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPv6 RH (was Re: SPD issues)
In your previous mail you wrote:
On Mon, 27 Oct 2003, Bill Sommerfeld wrote:
> > I think this is a bad idea. the local admin should use a firewall
> > to restrict traffic with routing headers if needed. he shouldnt
> > use the SPD to do this...
> Any code which consults the SPD to do policy enforcement can be
> thought of as a "firewall".
The SPD *is* a firewall. One serious flaw of RFC 2401 was that it did not
make this clear. The 2401bis draft does (section 2.1, second paragraph).
=> we should make a distinction between a filtering mechanism and what is
sold as a firewall: Vijay and me share the opinion that the SPD belongs to
the first category and the RH stuff should be done by a device from
the second one. Of course, on a SG which is also a firewall, the SPD can
be extended in order to include plain firewall capabilities (this is better
than to fight against the firewall part :-).