On Tue, 11 Dec 2001, Francis Dupont wrote: > In your previous mail you wrote: > > Firewall cannot know this without keeping state, as discussed in my draft > (and with you :-). > > => the state can be kept by the network access control system (which > cannot be stateless). And stateful firewalls are strictly more powerful > than stateless firewalls (this is not free of course).
If the state is outsourced but changes rapidly, this is IMO a still stateful firewall.. and we cannot rely on the existance of AAA, I think. > IMO, I greatly dislike stateful firewalls. They're one of the breakers of > e2e. > > => I dislike all firewalls, but this problem is a threat against > ingress filtering so an ingress filtering solution is better. This is a problem that affects all filtering, not just ingress (for source address). > PS: ingress filtering is not require, this is only a BCP. > There is no reason to be stricter. Filtering is a reality that is here to stay. In the hostile world, we cannot deny or ignore that. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
