RE: [RRG] Renumbering... ACLs etc.

["Tony Li" <tony.li@tony.li>]

Hi Robin,


|OK - I understand that you are suggesting that the routers not
|filter by IP address at all, but by "something else".


Not exactly.  What I'm suggesting is that firewalls cannot reliably filter
on any remote information.  It will be spoofed unless it's strongly
authenticated, such as an IPsec tunnel.

They *can* reasonably filter on local information (e.g., destination IP
address, destination port, protocol, destination identifier, destination
locator).  These are under the control of the local administration and can
conceivably be well coordinated.

Tony


--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg