Today, if a user generates a packet using an illegal IPv4 source address, what would we do? We could drop the packet silently by doing source-verify. So, tomorrow if a user use illegal port, IMHO AFTR should drop the packet silently.
On 3/20/12 9:06 AM, "Alain Durand" <[email protected]> wrote: >It is necessary because the AFTR is the only place where we can enforce >IPv4 ingress filtering, ie put ACLs to check >that the incoming tunneled traffic from any given customer is using a >legitimate IPv4 address and source port. >When the incoming traffic does not match those ingress filtering rules, >an ICMP error message must be returned. >The idea in SD-NAT is to use this ICMP message to carry the information >about the correct port range to use.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Softwires mailing list [email protected] https://www.ietf.org/mailman/listinfo/softwires
