On Wed, Aug 08, 2001 at 04:32:18PM +0700, Robert Elz wrote:
> | but also changing over 100,000 lines of distributed policies.
>
> But this one is truly a pain to manage currently. But there's no real
> reason why you should have a single IP address (v4 or v6) in such a database.
> (That is, perhaps excepting a few well known addresses like 127.0.0.1).
>
> That is, I've never yet heard of a policy which says "addresses that start
> with a 10 are allowed in, because I like 10". Rather, the policy is
> "addresses from company X are allowed in" - and then when one looks, one
> sees that addresses from company X start with 10, and no-one else's do,
> so what goes in the policy is "addresses that start with 10" - then the
> router/filewall/whatever has to do less work, its vendor has to do less
> work, and you have to do lots more work. And you're asking for that state
> of affairs to continue?
>
> The policies should be expressed in a form that actually expresses what
> you want to say, and then should be being converted into something that the
> packet forwarding engines can handle (which means, bit values of addresses).
> As soon as that conversion gets to be automated, rather than done manually,
> it becomes trivial to repeat it as frequently as is necessary to keep up
> with any address changes - and what's more to automate that, so that it
> all happens automatically, whenever addresses alter.
interestingly enough, (and I'm not particularly pro A6), A6 chains
make this easier.
"Allow in all nets referenced by prefix.customer.example.net".
--
David Terrell | "War is peace,
Prime Minister, Nebcorp | freedom is slavery,
[EMAIL PROTECTED] | ignorance is strength
http://wwn.nebcorp.com/ | Dishes are clean." - Chris Fester
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
