IETF Logo Mail Archive

HIT and ACLs (was Re: [Int-area] Progress on draft-laganier-ipv6-khi-01.txt

marcelo bagnulo braun <marcelo@it.uc3m.es> Mon, 05 June 2006 16:20 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FnHos-0005Dg-Vh; Mon, 05 Jun 2006 12:20:46 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FnHos-0005CS-Cs for int-area@ietf.org; Mon, 05 Jun 2006 12:20:46 -0400
Received: from smtp02.uc3m.es ([163.117.136.122]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FnHon-0000HM-UW for int-area@ietf.org; Mon, 05 Jun 2006 12:20:46 -0400
Received: from smtp02.uc3m.es (localhost [127.0.0.1]) by localhost.uc3m.es (Postfix) with ESMTP id 2631695E82; Mon, 5 Jun 2006 18:20:41 +0200 (CEST)
Received: from [163.117.203.130] (unknown [163.117.203.130]) by smtp02.uc3m.es (Postfix) with ESMTP id 1C3BA9587D; Mon, 5 Jun 2006 18:20:40 +0200 (CEST)
In-Reply-To: <77F357662F8BFA4CA7074B0410171B6D01A2F2DA@XCH-NW-5V1.nw.nos.boeing.com>
References: <77F357662F8BFA4CA7074B0410171B6D01A2F2DA@XCH-NW-5V1.nw.nos.boeing.com>
Mime-Version: 1.0 (Apple Message framework v624)
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Message-Id: <e797b443cd9e619a78ac360e503e95b9@it.uc3m.es>
Content-Transfer-Encoding: quoted-printable
From: marcelo bagnulo braun <marcelo@it.uc3m.es>
Subject: HIT and ACLs (was Re: [Int-area] Progress on draft-laganier-ipv6-khi-01.txt
Date: Mon, 05 Jun 2006 19:20:38 +0300
To: "Henderson, Thomas R" <thomas.r.henderson@boeing.com>
X-Mailer: Apple Mail (2.624)
X-Spam-Score: 0.0 (/)
X-Scan-Signature: b19722fc8d3865b147c75ae2495625f2
Cc: Internet Area <int-area@ietf.org>
X-BeenThere: int-area@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/int-area>
List-Post: <mailto:int-area@lists.ietf.org>
List-Help: <mailto:int-area-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@lists.ietf.org?subject=subscribe>
Errors-To: int-area-bounces@lists.ietf.org

Hi Tom,

a question about this point...

El 05/06/2006, a las 7:35, Henderson, Thomas R escribió:
>
> It is not only local handles where this matters; in fact, as you point
> out, it may not matter much there at all.  However, think about using
> HITs instead of IPv6 addresses in ACLs;

I am not sure if i understand in which situations this can be 
practical...

there are at least two things that i am not sure how to deal with in 
this case:
- First, HITs are not carried in every packet (as opposed to IP 
addresses) so you could only have ACLs based on HITs on the endsystem 
(meaning that you cannot have e.g. an ACL on a firewall that is 
inspecting traffic to verify what is filtered, right?) or are you 
considering the case where the firewall keeps track of the hip 
exchange?
- Second, i guess that in order to be usefull it should be possible to 
aggregate the HITs so that you could define blocks in the ACL. I mean a 
plain namespace like HITs seem kind of unpractical since you would need 
to detail each and every host in the ACL. I guess that for this, the 
type 2 HITs would be really needed...


Regards, marcelo


_______________________________________________
Int-area mailing list
Int-area@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/int-area

v2.23.0 | Report a Bug | By Email