Francis Dupont writes:
> In your previous mail you wrote:
> => the state can be kept by the network access control system (which
> cannot be stateless). And stateful firewalls are strictly more powerful
> than stateless firewalls (this is not free of course).
>
> IMO, I greatly dislike stateful firewalls. They're one of the breakers of
> e2e.
>
> => I dislike all firewalls, but this problem is a threat against
> ingress filtering so an ingress filtering solution is better.
I don't think I agree. Ingress filtering was adopted
primarily because it could be done relatively easily
through RPF checks. It's still pretty much an architectural
hack though, and what we are seeing here is another
manifestation of RFP-break-with-assymmetric-routes, IMO.
I think it's far more productive to go back to first
principles here in light of the new requirements. At
the very least, we should consider whether edge policing
is possible or desirable given the necessity of introducing
new state and signaling. Maybe we ought to consider the
end to end principle again.
Mike
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
