maqiufang \(A\) <[email protected]> wrote: > Instead of simply stating that the controller will translate group > information into required IP/MAC address and delivers address-based > ACEs to the PEP devices, the draft also allows the device to perform > UCL based policy if it can understand the group information. E.g., if a > group identity could be carried in the packet header[1].
..
> [1] https://datatracker.ietf.org/doc/draft-ietf-nvo3-encap/ see sec.6.2.3
As I understand NVO3 (and GENEVE), it is an encapsulation layer that runs on
top of UDP layers and can carry ethernet packets. (I've deployed a few of
these things)
But, in this context, I'm unclear if the UCL-ACL would apply to the outer
IP/UDP header or to the inner one.
If there were reasons to apply rules to the inner one, wouldn't it make more
sense to have a PEP at the NVO3 encapsulation point?
If it would make sense to apply rules to the outer one, would it be easier to
just have more than one tunnel?
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
