[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RRG] Renumbering... ACLs etc.



Joel,
I wish I could agree not just with the "should" but with "we can persuade them to." I worked behind an actively managed and supervised firewall for a while. They had a quite strict security policy in place. Their policy was to block all inbound connections to their VPN device unless those connections, and the IP addresses for them, had been explicitly authorized. Yes, they know that IP addresses can be spoofed. But this sort of filtering made the barrier to penetrating the firewall significantly higher. (It meant I could not use the VPN, as they would not authorize any dynamic IP addresses.) Trying to tell them that their policy is wrong, and that they can not do that, is not going to work. We have to provide them something else to get the same capability if we do not want them using locators for this.

What you point out is that it is necessary but not sufficient to secure the so-called "identifier" space. We are not excused from securing the locator space.

Eliot

--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg