Noel Chiappa <[email protected]> dijo:
> From: Brian E Carpenter <[email protected]>
> Isn't this in fact a (perceived) problem with the multi-prefix model?
> If an endpoint has multiple locators, then any site that puts one of
> those locators in an ACL needs to put all of them in the ACL.
Why are people putting locators in ACLs anyway?
I guess that one of the problems with using identifier is how can you
trust the idnetifiers in the packet?
I mean, if you include botht eh ID and the locator in the packet e.g. a
tunnel, the source locator has some inherent security features, since
it is the token that will be used by the routing system to send packets
back, so spoofing it will result in retrun packet going somewhere else.
The identifier does not have such property and spoofing it is trivial.
I guess that if we want to use identifiers in the ACL and make them
minimally useful, the device holding the ACL needs to verify the ID loc
mapping, which seems somehow more complex than current practice.
Regards, marcelo
(Note: This is not the same thing as the question 'why is the hardware
looking at locators to implement ACLs?'. Looking at locators might be a fine
engineering choice for the _implementation_ of ACLs.)
Noel
_______________________________________________
rrg mailing list
[email protected]
https://www.irtf.org/mailman/listinfo/rrg
--
----
MARCELO BAGNULO BRAUN
WebCartero
Universidad Carlos III de Madrid
_______________________________________________
rrg mailing list
[email protected]
https://www.irtf.org/mailman/listinfo/rrg
