Re: [RRG] Renumbering... ACLs etc.

[Robin Whittle <rw@firstpr.com.au>]

Hi Tony,

You wrote:

> I think you're missing the point: having a firewall filter on ANY field set
> by a correspondent that cannot be strongly authenticated is simply asking
> for trouble.  
> 
> To date, folks have claimed that the return routability of the address was
> 'enough' security.  However, that depends on routing being secure.  I hope
> the folks in this group are aware of the reality in that regard.

OK - I understand that you are suggesting that the routers not
filter by IP address at all, but by "something else".

If that "Something else" is changeable from time-to-time due to
mobility, multihoming service restoration etc. for any one remote
host (or whatever entity it is you are selecting with the filter,
including perhaps an actual person using any host whatsoever) for
which you want to specify the filtering, then I still think the
router needs to periodically look up the text you specified in some
global mapping system to see what this means "now".  In that case,
the text or whatever you use to tell the router how to filter needs
to be accompanied by some information on how often to look up the
mapping system to convert your specification into whatever it needs
to mean to the filtering system right now.

  - Robin


--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg