[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: (v6ops) WG Last Call: draft-ietf-v6ops-renumbering-procedure-00.txt (fwd)
On Mon, Jun 21, 2004 at 09:49:13AM +0200, Eliot Lear wrote:
> One of us has missed the point. Firewalls today filter packets based on
> destination address. While I would agree that filtering on a source
> FROM the Internet would be foolish, different hosts on the perimeter may
> require different levels of protection. Regardless, those rules exist
> today inside firewalls and would need to be changed, and that's what
> we're saying.
It's probablymuch more common than you'd fear that sites use source address
based filtering in firewalls. And of course that's the snag that the
firewall rules need updating (or at least reloading/resolving) on remote
site firewalls not just on the renumbering site. There's also plenty of
examples of source IP based access controls in other places, e.g. in the
transport layer in TCP wrapper configuration files, or in the application
layer with, e.g., IP-based access control to web resources (publisher
material being a common one in academic circles - a big university is granted
access by it's whole Class B site block).
> Want to make it easier? Great. I'm all ears. Perhaps that will be the
> killer app for IPv6, but I doubt it. My motivation was really to make
> incremental progress on eliminating the need for site-local and natting.
I think the scope and motivation is very good :)