Le 2013-04-26 16:50, Rajiv Asati (rajiva) a écrit :
Thankfully, in MAP, both CE and BR employ the so called port-range aware
uRPF, as Ole well clarified. So, the possibility of any device causing any
grief to any other device (in the network - CE or outside the network -
via BR) just does NOT exist.
Right.
In this security model, spoofed packets are allowed to be injected in
the MAP domain. They will travel all the way to their destination. When
they reach it, the spoof check is performed, and at this point they are
dropped.
In other words, in the MAP model the check is at the egress point,
whereas in the BCP38 model the check is at the ingress point.
Egress checking could be well justified, but it needs to at least be
specifically highlighted in the security considerations section.
Simon
--
DTN made easy, lean, and smart --> http://postellation.viagenie.ca
NAT64/DNS64 open-source --> http://ecdysis.viagenie.ca
STUN/TURN server --> http://numb.viagenie.ca
_______________________________________________
Softwires mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/softwires
