[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ACLs

To: Emir Arslanagic <emir@cw.net>
Subject: Re: ACLs
From: Florian Weimer <fw@deneb.enyo.de>
Date: Tue, 22 Jul 2003 23:07:38 +0200
Cc: opsec@ops.ietf.org
In-reply-to: <NABBIILLLMCFCBEGLNHEAEPNCLAB.emir@cw.net> (Emir Arslanagic'smessage of "Tue, 22 Jul 2003 16:30:22 -0400")
Mail-followup-to: Emir Arslanagic <emir@cw.net>, opsec@ops.ietf.org
References: <NABBIILLLMCFCBEGLNHEAEPNCLAB.emir@cw.net>
User-agent: Gnus/5.1003 (Gnus v5.10.3) Emacs/21.3 (gnu/linux)

Emir Arslanagic <emir@cw.net> writes:

> Regarding ACLs, it is absolutely must for the backbone equipment to be able
> to filter passing through traffic in line speed, traffic to the box it-self
> is little bit less strict but that is why we have rate limiting and QoS.
>
> BTW many vendors do that this days in ASICS any way, it is not that
> difficult.

As far as I know, it *is* difficult for a certain vendor.  This vendor
sells most of its routing blades for a certain architecture with
hardly any filtering capability (maximum ACL length around 128
entries, if ACLs are supported at all).

> This could be described with two stamens:
> - Network equipment must provide a means of allowing and denying data flow
> based on a
> security policy.
>
> - Network equipment must provide a means of segregating data flow between
> networks, which
> does not share same security paradigm.

Without restriction on the kind of security policy that must be
implementable by the device, such requirements are untestable and
therefore less interesting (IMHO).

Follow-Ups:
- Re: ACLs
  - From: Randy Bush <randy@psg.com>

References:
- ACLs
  - From: Emir Arslanagic <emir@cw.net>

Prev by Date: Re: Ability to withstand well known attacks
Next by Date: Re: Ability to withstand well known attacks
Previous by thread: ACLs
Next by thread: Re: ACLs
Index(es):
- Date
- Thread