At 12:46 30/10/00 +1030, Ben Nagy wrote:
>[snip]
>
>That's the bit I thought was impossible (silly me) - IMO it should not send
>packets out of an interface that has a different L3 address unless
>configured to be a router. Kind of like local spoof protection...
The fact is that NICs and IP addresses are different things. The latter
belong to IP
when the former belong to the link layer. modularity says that these should
stay
sufficiently far from each other. Note that systems like solaris and linux
(among others)
that require to define an interface associated with an IP address just
encourage
the misconception (remember those stupid eth0:14?). the "good" approach is the
BSD one: each interface has a list of IP addresses. That's why I like the
BSD/OS
keyword "add" instead of "alias" in ifconfig. nothing has never said that
an interface
should have _one_ IP address.
This matters are justified by the fact that routing is done on a per
destination basis.
asking for routing to be done on a per source basis is like askig your
mailman to
deliver letters sent to a single person using different means depending on
whether
the letter was sent by you or by your wife: that's possible, but it's
complicated and
the mailman won't do it for free!
Yes, there are policy based routing implementation, But they are used in
special
situations and can't go into standard stacks for performance reasons. the
"one parameter" search (only IP destination) allows the use of the simple tree
algorithm (PATRICIA is worth of love), and that if you add other search
parameters,
you're forced to get back to the stupid linear table search (even hash
tables are
difficult in the presence of multiple wildcard fields).
cheers,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
