In your previous mail you wrote: Firewall cannot know this without keeping state, as discussed in my draft (and with you :-). => the state can be kept by the network access control system (which cannot be stateless). And stateful firewalls are strictly more powerful than stateless firewalls (this is not free of course).
IMO, I greatly dislike stateful firewalls. They're one of the breakers of e2e. => I dislike all firewalls, but this problem is a threat against ingress filtering so an ingress filtering solution is better. I don't think we should require stateful firewalls for this. => I am afraid that if we ignore the problem the result will be the filtering of all packets with more than two addresses as it is the case for IPv4: we have to do a compromise... Regards [EMAIL PROTECTED] PS: ingress filtering is not require, this is only a BCP. There is no reason to be stricter. -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
