In your previous mail you wrote: > => the state can be kept by the network access control system (which > cannot be stateless). And stateful firewalls are strictly more powerful > than stateless firewalls (this is not free of course). If the state is outsourced but changes rapidly, this is IMO a still stateful firewall..
=> but state loss has less impact... and we cannot rely on the existance of AAA, I think. => if you have to take the responsability of what nodes inside your domain are doing, AAA existance is a reasonable assumption. > => I dislike all firewalls, but this problem is a threat against > ingress filtering so an ingress filtering solution is better. This is a problem that affects all filtering, not just ingress (for source address). => we speak about the source address hiding by reflection in DDoS using HAO, i.e. how to use HAO to foul the ingress filtering used as a protection against DDoS, don't we ? > PS: ingress filtering is not require, this is only a BCP. > There is no reason to be stricter. Filtering is a reality that is here to stay. In the hostile world, we cannot deny or ignore that. => my argument was about the word mandatory in your original message. Regards [EMAIL PROTECTED] -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------