Re: Comments on draft-lindem-ospfv3-dest-filter-01.txt

[Mukesh.Gupta at NOKIA.COM]

Hi Acee,

> It's true the same could be accomplished with one or more
> ACL(s). However, if the same approach is taken for every
> protocol/service one could end up having to configure and maintain
> quite an extensive administrative ACL (i.e., an ACL applied to packets
> to be delivered locally as opposed to all packets received on 
> an interface).
> One thing that started us thinking about the problem and the 
> elegance of
> simply rejecting all packets without a link-local destination 
> was the OSPF
> vulnerabilities work going on in the RPSEC group. With that 
> work in mind, it
> seemed natural to have a single mechanism built into OSPFv3. 
> One could use
> a knob (so you'd know whether or not virtual link could be 
> configured) or simply
> always have the check in force when no virtual links are 
> configured at the
> level of application. Finally, dependent on the implemenation 
> and where/how
> the ACL(s) is/are applied this solution could be cheaper and 
> simpler (I know I've
> opened myself up to all of those who are going to tell me how 
> well they've
> implemented their ACLs ;^).

Sounds reasonable to me.  I don't see any harm in publishing
this document.  What is the status that this document is 
seeking ?  Informational or BCP ?

Regards
Mukesh