[rrg] Remote ACLs [Proposals which match rrg architectures.htmlpls check the page]

[MARCELO BAGNULO BRAUN]

Noel Chiappa <jnc at mercury.lcs.mit.edu> dijo:

>    > From: Brian E Carpenter <brian.e.carpenter at gmail.com>
>
>    > Isn't this in fact a (perceived) problem with the multi-prefix model?
>    > If an endpoint has multiple locators, then any site that puts one of
>    > those locators in an ACL needs to put all of them in the ACL.
>
> Why are people putting locators in ACLs anyway?

I guess that one of the problems with using identifier is how can you 
trust the idnetifiers in the packet?
I mean, if you include botht eh ID and the locator in the packet e.g. a 
tunnel, the source locator has some inherent security features, since 
it is the token that will be used by the routing system to send packets 
back, so spoofing it will result in retrun packet going somewhere else.
The identifier does not have such property and spoofing it is trivial.
I guess that if we want to use identifiers in the ACL and make them 
minimally useful, the device holding the ACL needs to verify the ID loc 
mapping, which seems somehow more complex than current practice.

Regards, marcelo

>
> (Note: This is not the same thing as the question 'why is the hardware
> looking at locators to implement ACLs?'. Looking at locators might be a fine
> engineering choice for the _implementation_ of ACLs.)
>
> 	Noel
> _______________________________________________
> rrg mailing list
> rrg at irtf.org
> https://www.irtf.org/mailman/listinfo/rrg
>



-- 
----
MARCELO BAGNULO BRAUN
WebCartero
Universidad Carlos III de Madrid