[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: comment on unmanaged analysis presentation/doc
> I'm fairly convinced that ingress filtering needs to apply the same
> criteria to tunneled packets as are applied to non-tunneled packets.
>
> So if (e.g.) NFS is blocked at the router/firewall for v4, it needs
> to be blocked for 6to4 and native v6 also, unless the policy is
> to treat NFS traffic differently depending on v4 vs. v6.
>
> This implies that filters need to look inside type 41 IP packets.
>
> of course, it's dangerous to suggest this, because there will be
> a strong temptation to just block all type 41 packets - since
> presumably it's much easier to do that.
While such a scheme might work for protocol 41 packets, I don't
see how it can be made to work for other tunnels, especially encrypted
tunnels.
Thus I think a simpler and more general approach is to require that nodes
only decapsulate packets when they trust the sender.
Erik