In your previous mail you wrote:
> => the state can be kept by the network access control system (which
> cannot be stateless). And stateful firewalls are strictly more powerful
> than stateless firewalls (this is not free of course).
If the state is outsourced but changes rapidly, this is IMO a still
stateful firewall..
=> but state loss has less impact...
and we cannot rely on the existance of AAA, I think.
=> if you have to take the responsability of what nodes inside your domain
are doing, AAA existance is a reasonable assumption.
> => I dislike all firewalls, but this problem is a threat against
> ingress filtering so an ingress filtering solution is better.
This is a problem that affects all filtering, not just ingress (for source
address).
=> we speak about the source address hiding by reflection in DDoS using HAO,
i.e. how to use HAO to foul the ingress filtering used as a protection
against DDoS, don't we ?
> PS: ingress filtering is not require, this is only a BCP.
> There is no reason to be stricter.
Filtering is a reality that is here to stay. In the hostile world, we
cannot deny or ignore that.
=> my argument was about the word mandatory in your original message.
Regards
[EMAIL PROTECTED]
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
