Eliot Lear wrote: > > Like it or not, it is accepted > > security practice to limit access by filtering on bits in the IP > > header, and restricting what prefixes are announced in routing > > protocols. > > But that filtering is done EXPLICITLY based on a PARTICULAR > device in a > PARTICULAR environment. Neither the device nor the firewall can make > that decision, and that is what you are claiming. You are > OVERLOADING > security operations on the IP address, a construct that is > poorly suited > for the task. >
No, I am using a well established construct of limiting access by restricting where prefixes get routed, and limiting access by filtering on header bit patterns. That is not overloading on the IP address any more than current practice does. > > In any case, I was not even claiming that any packet filtering was > > happening in that scenario. The presumption was that the prefix for > > local use was not being routed outside the home, while the > global one > > was. In that case, packet filtering is not required as the origin > > can't get packets to the destination. > > And that is where you are relying on the routing protocol for > security, > and that too is a bad architectural assumption. It's bad for all the > reasons I wrote in the message you claim had "no content". Then why do network managers every have limitations on routing announcements, both sent and heard? It is because they want to limit access. > > > Restricted routing is just one component in a comprehensive > security > > plan. > > Since it doesn't really do the job, What job? Provide perfect security? If that is the case, what does the job today? If such a product exists, why is route filtering so prevalent? > and since we are talking about a > home system as a use scenario, less is more. Provide a > single mechanism > that works correctly such that the individual can manipulate > it in one > place if he/she has to. There is nothing about providing a local use space that precludes a single point of control. Architecturally requiring a single point of control however precludes distribution and increasing scale. The network is not the simple Internet of 1990, and extrapolating that growth forward says we must not be architecting in bottlenecks. Particularly when they are simply based on favored operational practice of a few large entities. The consumer doesn't want to know about the technology that makes the Wal-mart appliance work, they just want to bring it home and turn it on. Tony > > I don't claim that filtering shouldn't happen in many or most > cases, and > it might even happen in THIS case. But let's not architect > for such a case. > > Eliot > > -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------