On Mon, 10 Dec 2001, Francis Dupont wrote: > In your previous mail you wrote: > > While such a check is reasonable for a host, a firewall can't actually > check this since it doesn't know the relationship between Care of Addresses > and Home Addresses. > > => I disagree: the firewall doesn't know only if nobody sends the > information to it. If mobile nodes inside the domain the firewall > manages send (using the network access control for instance) this > kind of information to the firewall it should be able to do > smart ingress filtering for packets with home address option > (i.e. solve the ingress filtering fouled by home address options > by a better ingress filtering) and (symmetrically) be able to > filter out rogue source routing.
Firewall cannot know this without keeping state, as discussed in my draft (and with you :-). IMO, I greatly dislike stateful firewalls. They're one of the breakers of e2e. I don't think we should require stateful firewalls for this. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
