[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: comment on unmanaged analysis presentation/doc



I'm fairly convinced that ingress filtering needs to apply the same
criteria to tunneled packets as are applied to non-tunneled packets.

So if (e.g.) NFS is blocked at the router/firewall for v4, it needs 
to be blocked for 6to4 and native v6 also, unless the policy is
to treat NFS traffic differently depending on v4 vs. v6. 

This implies that filters need to look inside type 41 IP packets.

of course, it's dangerous to suggest this, because there will be
a strong temptation to just block all type 41 packets - since 
presumably it's much easier to do that.

Keith