[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPv6 RH (was Re: SPD issues)



At 12:38 +0100 10/27/03, Francis Dupont wrote:
>  In your previous mail you wrote:
>
>    >Perhaps, the decision should be made if either the destination IP or
>    >any RH next-hop IP are matching the selector?
>   
>=> it should be the IP address in the destination field of the IP header
>when the policy is evaluated.
>   
>    We did overlook this in 2401, and we ought to be more precise in 2401bis.
>   
>    The IPv6 destination is what I expect folks would use for selector
>    checking, for both outbound and inbound traffic.
>   
>=> I agree. In fact, this is part of the multi-protocol selector issue
>(which we decided against) as RHs are extension headers.
>
>    We might add a flag that explicitly disallows traffic with routing
>    headers, as a local admin control for SPD entries.  In the IPv4 case,
>    we could to do the same  re the source route option.
>   
>    What do folks think?
>   
>=> I don't believe this is a good idea because it is the first step towards
>the transformation of SPD entries into firewall rules, i.e., someone can
>propose this in his implementation but this should not be in the standard.

Francis,

SPD entries ARE firewall rules.  We are only debating how fancy they 
need to be.

Steve