[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Simple Security - Layered Filtering should be in the document
At 08:38 AM 7/30/2009, Iljitsch van Beijnum wrote:
On 30 jul 2009, at 16:53, Yaron Sheffer wrote:
For the sake of argument, if *all* the current <something>-in-IPv6
are standardized, then presumably they *will* go into mainstream OSes.
So whenever there's a new protocol there must be a new filter?
Maybe not for home gateways, but for true policy enforcement points
in the network, yes, that his the case.
Isn't it simpler for the hosts that don't want to receive certain
packets to not run the protocol?
Sure. If all the valuable possessions in my home were unremovably
bolted to the floor, and it was impossible for anyone without the
retinal patterns and fingerprints of my direct family and invited
friends to tough any of those things, then yes, I would have no need
for the locks on my home's doors. Likewise, if hosts were perfect at
protecting themselves and the network infrastructure between them
across all subnets, then there would be no need for network perimeter filters.