[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPv6 RH (was Re: SPD issues)
At 12:38 +0100 10/27/03, Francis Dupont wrote:
> In your previous mail you wrote:
>
> >Perhaps, the decision should be made if either the destination IP or
> >any RH next-hop IP are matching the selector?
>
>=> it should be the IP address in the destination field of the IP header
>when the policy is evaluated.
>
> We did overlook this in 2401, and we ought to be more precise in 2401bis.
>
> The IPv6 destination is what I expect folks would use for selector
> checking, for both outbound and inbound traffic.
>
>=> I agree. In fact, this is part of the multi-protocol selector issue
>(which we decided against) as RHs are extension headers.
>
> We might add a flag that explicitly disallows traffic with routing
> headers, as a local admin control for SPD entries. In the IPv4 case,
> we could to do the same re the source route option.
>
> What do folks think?
>
>=> I don't believe this is a good idea because it is the first step towards
>the transformation of SPD entries into firewall rules, i.e., someone can
>propose this in his implementation but this should not be in the standard.
Francis,
SPD entries ARE firewall rules. We are only debating how fancy they
need to be.
Steve