I agree, Simon. Cheers, Rajiv
-----Original Message----- From: Simon Perreault <[email protected]> Date: Friday, April 26, 2013 11:22 AM To: Rajiv Asati <[email protected]> Cc: Ole Troan <[email protected]>, Softwires-wg list <[email protected]> Subject: Re: [Softwires] MAP based attribution and spoofing >Le 2013-04-26 16:50, Rajiv Asati (rajiva) a écrit : >> Thankfully, in MAP, both CE and BR employ the so called port-range aware >> uRPF, as Ole well clarified. So, the possibility of any device causing >>any >> grief to any other device (in the network - CE or outside the network - >> via BR) just does NOT exist. > >Right. > >In this security model, spoofed packets are allowed to be injected in >the MAP domain. They will travel all the way to their destination. When >they reach it, the spoof check is performed, and at this point they are >dropped. > >In other words, in the MAP model the check is at the egress point, >whereas in the BCP38 model the check is at the ingress point. > >Egress checking could be well justified, but it needs to at least be >specifically highlighted in the security considerations section. > >Simon >-- >DTN made easy, lean, and smart --> http://postellation.viagenie.ca >NAT64/DNS64 open-source --> http://ecdysis.viagenie.ca >STUN/TURN server --> http://numb.viagenie.ca _______________________________________________ Softwires mailing list [email protected] https://www.ietf.org/mailman/listinfo/softwires
