Semantic addresses is beyond the access control. For example, you can compare the security semantic bits of source and destination addresses. If they belong to different security domain, and you have a policy they should not communicate each other, you could drop the packet.
Sheng On 4 June 2013 09:44, Lorenzo Colitti <lore...@google.com> wrote: > On Mon, Jun 3, 2013 at 11:59 PM, Vízdal Aleš <ales.viz...@t-mobile.cz>wrote: > >> > If I am reading this correctly, in the end this is riven by the fact >> that existing boxes >> > can easily filter on addresses (although it will take a lot of >> filters), but can not apply >> > ACLs to DSCPs or extension headers? >> >> The current boxes can do both ACL filtering as well as DSCP mangling, but >> as mentioned >> earlier the DSCP bits cannot be trusted, so a markdown/re-marking is >> required potentially >> involving DPI. Maintaining ACLs is also time consuming. >> > > I don't understand what the difference is. Why can the addresses be > trusted? Answer - because you drop packets if the host uses the wrong > address. But all the space is routed to the user anyway, and the semantic > bits only express semantics, right? Therefore you can't use routing or RPF > to implement the drops, and you have to use an ACL. > > So if you have to use an ACL to do this anyway, then why can't you make > the ACL drop packets if the host uses the wrong DSCP codepoint? That way > you don't need to use extra address space. > -- Sheng Jiang 蒋胜
-------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
