I guess that one of the problems with using identifier is how can you trust the idnetifiers in the packet? I mean, if you include botht eh ID and the locator in the packet e.g. a tunnel, the source locator has some inherent security features, since it is the token that will be used by the routing system to send packets back,
Don't assume this.
so spoofing it will result in retrun packet going somewhere else. The identifier does not have such property and spoofing it is trivial.
You could do a EID-to-RLOC map check at access points (i.e. PE routers). That is just a different form or URPF.
I guess that if we want to use identifiers in the ACL and make them minimally useful, the device holding the ACL needs to verify the ID loc mapping, which seems somehow more complex than current practice.
On the PE box, you may know what customer link has EID-prefixes and do the ACL there.
Dino _______________________________________________ rrg mailing list [email protected] https://www.irtf.org/mailman/listinfo/rrg
