On Wed, 11 Jul 2018 at 22:26, Chris Morrow <morr...@ops-netman.net> wrote:
> > You might want "payload-protocol" for IPv6, except where you really > > want "next-header". This is a case where there's not a definite > > single functional mapping from IPv4 to IPv6. > > unclear why that's important here though? you MAY (and probably do) > have different security requirements between the 2 families, right? so > you're making a policy in ipv4 and you're making one in ipv6. Point probably is that if filter is as such a) allow smtp to permitted mx b) drop all smtp c) permit rest Then with 'payload-protocol' it works fine. With 'next-header' this filter is trivial to by-pass, allowing sender to send email to any MX. However for lo0 filter it indeed does not matter, as you format should be a) permit specific thing1 b) permit specific thingN c) drop rest No way to bypass c), so immaterial if next-header (cheap) or payload-protocol (expensive) is used. -- ++ytti _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
