[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPv6 RH (was Re: SPD issues)

To: Vijay Devarapalli <vijayd@iprg.nokia.com>
Subject: Re: IPv6 RH (was Re: SPD issues)
From: Bill Sommerfeld <sommerfeld@east.sun.com>
Date: Mon, 27 Oct 2003 11:35:36 -0500
cc: Stephen Kent <kent@bbn.com>, Eric Vyncke <evyncke@cisco.com>, ipsec@lists.tislabs.com
In-Reply-To: Your message of "Mon, 27 Oct 2003 08:20:15 PST." <3F9D45BF.8060701@iprg.nokia.com>
Reply-to: sommerfeld@east.sun.com
Sender: owner-ipsec@lists.tislabs.com

> > We might add a flag that explicitly disallows traffic with routing 
> > headers, as a local admin control for SPD entries.  
> 
> I think this is a bad idea. the local admin should use a firewall
> to restrict traffic with routing headers if needed. he shouldnt
> use the SPD to do this. we might accidentaly turn off protocols
> which make use of routing headers.

Huh?  You might accidentally disable stuff you need at an SPD-based
policy enforcment point, or accidentally disable stuff you need with a
"firewall".  What's the difference?

Any code which consults the SPD to do policy enforcement can be
thought of as a "firewall".

						- Bill

Follow-Ups:
- Re: IPv6 RH (was Re: SPD issues)
  - From: Henry Spencer <henry@spsystems.net>

References:
- Re: IPv6 RH (was Re: SPD issues)
  - From: Vijay Devarapalli <vijayd@iprg.nokia.com>

Prev by Date: Re: 2401bis issue 91 -- Handling ICMP error messages
Next by Date: Re: IPv6 RH (was Re: SPD issues)
Prev by thread: Re: IPv6 RH (was Re: SPD issues)
Next by thread: Re: IPv6 RH (was Re: SPD issues)
Index(es):
- Date
- Thread