[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [RRG] Renumbering... ACLs etc.
Joel,
I wish I could agree not just with the "should" but with "we can
persuade them to." I worked behind an actively managed and supervised
firewall for a while. They had a quite strict security policy in place.
Their policy was to block all inbound connections to their VPN device
unless those connections, and the IP addresses for them, had been
explicitly authorized.
Yes, they know that IP addresses can be spoofed. But this sort of
filtering made the barrier to penetrating the firewall significantly
higher. (It meant I could not use the VPN, as they would not
authorize any dynamic IP addresses.)
Trying to tell them that their policy is wrong, and that they can not
do that, is not going to work. We have to provide them something else
to get the same capability if we do not want them using locators for
this.
What you point out is that it is necessary but not sufficient to secure
the so-called "identifier" space. We are not excused from securing the
locator space.
Eliot
--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg