> > 1. When processing a Routing Header, hosts should only
> forward the > packet to another node via the same interface
> by which it arrived.
>
> Is this to prevent bypass of firewall access control?
> If so, why couldn't you just reclassify the packet
> after you pop the routing header against the firewall
> rules again? I'd be a little worried about the implications
> routing loops if you don't follow least cost routing.
The idea is to prevent a multi-homed host from becoming an unintended
conduit for packets between two networks.
I'm not sure I understand your comment about least-cost routing, but
there are already situations where some implementations restrict an
outgoing packet to the same interface as incoming packet. For example
when sending ICMP errors.
> > 2. When processing a Routing Header, nodes should compare
> the scope of > the current and new destination addresses and
> only forward the packet if > the new destination address has
> scope equal or greater than the old > destination scope.
>
> Again, this seems to be trying to enforce something
> from within the routing system which is usually
> enforced by access control lists at border gateways.
> IP-IP encapsultation would yield the same result, and
> it seems to me that you just want to set up a rule
> at your site border router that just preclude site
> local addresses from entering the site *regardless*
> of how they get there. I'm a little worried that to
> put in half-measures in ipv6's treatment of site/link
> locals might lull people into a potentially false sense
> of security if there are other cases which are missed.
It's true there are many pieces that have to be covered to enforce
containment of scope addresses. For example, having routers check the
scope of source addresses. I do not view scoped address containment as
something which is usually enforced by access control lists.
Rich
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
