[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ingress filteing problem

To: <multi6@ops.ietf.org>
Subject: Re: ingress filteing problem
From: "Spencer Dawkins" <spencer@mcsr-labs.org>
Date: Fri, 12 Mar 2004 20:15:44 -0600
References: <KFEGIHADOMJLBDFFDMNEAEECCIAA.loa@ieee.org>
Reply-to: "Spencer Dawkins" <spencer@mcsr-labs.org>

I'm probably late to the party, but don't (1) and (2) break
transport-mode IPsec?

So IPsec transport mode would be a non-goal?

Just curious,

Spencer

From: "Kanchei Loa" <loa@ieee.org>
> The following are solutions that won't break non-multi6 TCP and UDP
(only
> one end of the communication  implements multi6):
>
> (1) Match the source address to ISP.
>

> (2) Fake the source address to ISP.
>

>
> Before we talk about pros, cons and other issues, It is beneficial
that we
> have a complete list of possible solutions for ISP ingress filtering
that
> won't break non-multi6 TCP and UDP (only one end of the
communication
> implements multi6). My opinion is that any multi6 solution that
breaks
> existing non-multi6 TCP and UDP at another end of the connection
will face
> deployment difficulty.
>
> Am I missing something?

Follow-Ups:
- RE: ingress filteing problem
  - From: "Kanchei Loa" <loa@ieee.org>

References:
- ingress filteing problem
  - From: "Kanchei Loa" <loa@ieee.org>

Prev by Date: RE: Source address selection insufficient?
Next by Date: Weekly posting summary for multi6@ops.ietf.org
Previous by thread: ingress filteing problem
Next by thread: RE: ingress filteing problem
Index(es):
- Date
- Thread