> I did read draft-dupont-ipv6-ingress-filtering-00.txt and it seems to > assume > that the architecture only needs to support ingress at one place. > > => this is a constraint: active network access control is usually done > at one place.
I wasn't talking about network access control - I was talking about ingress filtering. While e.g. an ISP/subscriber relationship might have some network access control that isn't the only place ingress filtering might need to be done. > I don't see any difference between saying > - we can trust the access network to do ingress filtering > - we can trust the host to not use bogus source addresses > > => it seems you have a very bad feeling of your ISP (:-) Yes I do, but I don't trust the whole edge around the whole Internet. There probably exists at least one ISP on the planet that will allow any source address in the packets sent by their subscribers. Thus it needs to be possible to ingress filtering at other places than just the ISP/subscriber boundary. > => what does prevent flexibility is the only current technical > concrete form of trust/responsability is network access control systems. Sorry, wrog subject. We were talking about ingress filtering and not network access control I think :-) Erik -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
