[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: comment on unmanaged analysis presentation/doc

To: Keith Moore <moore@cs.utk.edu>
Subject: Re: comment on unmanaged analysis presentation/doc
From: Erik Nordmark <Erik.Nordmark@sun.com>
Date: Wed, 25 Sep 2002 18:37:48 +0200 (CEST)
Cc: Erik Nordmark <Erik.Nordmark@sun.com>, Robert Elz <kre@munnari.OZ.AU>, v6ops@ops.ietf.org
Delivery-date: Wed, 25 Sep 2002 09:41:29 -0700
Envelope-to: v6ops-data@psg.com
Reply-to: Erik Nordmark <Erik.Nordmark@sun.com>

> I'm fairly convinced that ingress filtering needs to apply the same
> criteria to tunneled packets as are applied to non-tunneled packets.
> 
> So if (e.g.) NFS is blocked at the router/firewall for v4, it needs 
> to be blocked for 6to4 and native v6 also, unless the policy is
> to treat NFS traffic differently depending on v4 vs. v6. 
> 
> This implies that filters need to look inside type 41 IP packets.
> 
> of course, it's dangerous to suggest this, because there will be
> a strong temptation to just block all type 41 packets - since 
> presumably it's much easier to do that.

While such a scheme might work for protocol 41 packets, I don't
see how it can be made to work for other tunnels, especially encrypted
tunnels.

Thus I think a simpler and more general approach is to require that nodes
only decapsulate packets when they trust the sender.

   Erik

Prev by Date: Re: comment on unmanaged analysis presentation/doc
Next by Date: Re: comment on unmanaged analysis presentation/doc
Previous by thread: Re: comment on unmanaged analysis presentation/doc
Next by thread: Re: comment on unmanaged analysis presentation/doc
Index(es):
- Date
- Thread