Hi Tony, You wrote:
> Unfortunately, the practice of putting remote addresses into firewall ACLs > is all too common. Of course, there's a name we have for sites that do > this: pwned. > > That said, this is such a colossaly bad practice, that I would have no > trouble supporting architectures that forced people to rethink this. The hardware has to filter packets based on the IP addresses in the header. It can't very well do some conversion from the IP address to some FQDN like string of text and do a comparison on that - every time a packet arrives. So the router's filter needs an IP address - and perhaps a prefix length as well. If you want to be able to instruct the router in some other way than an IP address, then I guess you would have to use a FQDN or something else which can be resolved to an IP address by DNS or some other system outside the router. That involves several things: Firstly, the resolution needs to be done by some robust, secure, global mapping system - DNS or something else. Secondly, the entity you want to refer to must have an entry in that system. Thirdly, that system must be updated when the entity to be filtered changes its IP address. Fourthly, the router needs to find this out ASAP, so it can update its IP address. So I think that in addition to specifying a FQDN or similar, you would also need to specify a frequency of update - to tell the router how often it should check with the DNS or whatever to convert the FQDN or whatever into an IP address. One problem is that the router could spend a lot of time doing these DNS lookups, including for things it never in fact sees packets for. How many routers are there in a network which need this IP address? That could be a lot of DNS activity. Another problem is that the filtering might not be just on an IP address, but on the base address of a prefix, and a prefix length. If that changes, then the global query server system can't just return an IP address - it needs to return a prefix length too. Maybe DNS could be updated to do this, or another mapping system could do the job. - Robin -- to unsubscribe send a message to [EMAIL PROTECTED] with the word 'unsubscribe' in a single line as the message text body. archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg
