Hi, On 2011/11/18, at 14:27, Dmitry Anipko wrote:
> Hello, > > >> In any case, the policy delivered on the secured channel should be used. > >>That is what the draft suggests. > >>Make sense ? > > If the different policy tables were received from different administrative > domains, I don’t see yet why it would make sense to prefer one of them to > another based on whether one of the channel was secured. In case an interface > which delivered secured policy table is not preferred by routing metric, the > copy of the table received over such interface may be irrelevant or harmful. The policy table is a host-wide policy, and not interface specific. It can have effects even on the routing policy of the host in that it has effects on destination address selection. The existence of a secure, trusted channel means that the host belongs to the administrative domain. In that case, the policy of the un-trusted channel should not override the host-wide policy, even if the default route is directed to the untrusted interface. If the admin of the administrative domain allows the simultaneous use of the untrusted domain and to direct the default route to that untrusted interface, the admin has to design his distributing policy so that the policy will not bring bad effects from that. If the admin does not allow the simultaneous connection, the bad effects need not be taken care. Of course, this draft does not preclude configuration option to use the received policy on the untrusted interface, though. Best regards, > > Thanks, > Dmitry > > From: Arifumi Matsumoto [mailto:arif...@nttv6.net] > Sent: Thursday, November 17, 2011 9:14 PM > To: Dmitry Anipko > Cc: ipv6@ietf.org > Subject: Re: multiple policy tables handling in > draft-ietf-6man-addr-select-opt-01 > > Hi, > > thank you for your comment. > > On 2011/11/14, at 14:21, Dmitry Anipko wrote: > > > Hello, > > I have a question about this text the -01 revision: > > >>A node MAY use OPTION_DASP in any of the following two cases: > 1: The address selection option is delivered across a > secure, trusted > channel. > > The OPTION_DASP is configured by a network administrator, presumably based on > some knowledge they have about what makes more or less sense in the > particular network. How whether or not a secure channel has been used on one > of the networks relates to whether or not the admin of that network has > knowledge of a completely different network the host may simultaneously be > connected to? > > In any case, the policy delivered on the secured channel should be used. > > That is what the draft suggests. > > Make sense ?
-------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
