Re: [RRG] Renumbering... ACLs etc.

[Eliot Lear <lear@cisco.com>]

Joel,
> I wish I could agree not just with the "should" but with "we can 
> persuade them to."  I worked behind an actively managed and supervised 
> firewall for a while.  They had a quite strict security policy in place.
> Their policy was to block all inbound connections to their VPN device 
> unless those connections, and the IP addresses for them, had been 
> explicitly authorized.
> Yes, they know that IP addresses can be spoofed.  But this sort of 
> filtering made the barrier to penetrating the firewall significantly 
> higher.  (It meant I could not use the VPN, as they would not 
> authorize any dynamic IP addresses.)
> Trying to tell them that their policy is wrong, and that they can not 
> do that, is not going to work.  We have to provide them something else 
> to get the same capability if we do not want them using locators for 
> this.

What you point out is that it is necessary but not sufficient to secure 
the so-called "identifier" space.  We are not excused from securing the 
locator space.

Eliot

--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg