[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03



Gert Doering   (m/j/a) 8/26/08 1:49 PM:
On Mon, Aug 25, 2008 at 05:29:47PM -0700, Dan Wing wrote:
Internalt to external is permitted, by default, in the current document.

We are discussing external to internal.

What is "internal to external" is inevitably "external to internal" to
someone else.

How do you solve "tunneling is permitted if solicited from the inside" for the

  Host A --- CPE A ----[Internet]---- CBE B --- Host B

case?

In my understanding, there is no ambiguity.

Internal or External is defined only for a two-sided device the place of which is specified in the global Internet: - External is toward the core (or the root) of the routing hierarchy, i.e. the side of the device where the 0/0 route goes (the "rest of the world"). - Internal is the opposite. It is toward the periphery (or the leaves) of the routing hierarchy, where the 0/0 route doesn't go.

Thus:
- A is internal to CPE A.
- CPE B and B are external to CPE A.
- A and CPE A are external to CPE B.
- B is internal to CPE B

Filtering control, if not dministrative, should always come from the internal side (from A to CPA A, from B to CPE B).

RD