Re: Comments on draft-lindem-ospfv3-dest-filter-01.txt

[Acee Lindem <acee at REDBACK.COM>]

Hi Mukesh,
I guess I'd put the question of status to the WG and it
depends on how useful everyone thinks it is. I'm also
going to post it to the RPSEC WG since I believe they've
accepted OSPF Vulnerabilities draft.

Thanks,
Acee

----- Original Message -----
From: <Mukesh.Gupta at NOKIA.COM>
To: <OSPF at PEACH.EASE.LSOFT.COM>
Sent: Wednesday, May 12, 2004 1:09 PM
Subject: Re: Comments on draft-lindem-ospfv3-dest-filter-01.txt


Hi Acee,

> It's true the same could be accomplished with one or more
> ACL(s). However, if the same approach is taken for every
> protocol/service one could end up having to configure and maintain
> quite an extensive administrative ACL (i.e., an ACL applied to packets
> to be delivered locally as opposed to all packets received on
> an interface).
> One thing that started us thinking about the problem and the
> elegance of
> simply rejecting all packets without a link-local destination
> was the OSPF
> vulnerabilities work going on in the RPSEC group. With that
> work in mind, it
> seemed natural to have a single mechanism built into OSPFv3.
> One could use
> a knob (so you'd know whether or not virtual link could be
> configured) or simply
> always have the check in force when no virtual links are
> configured at the
> level of application. Finally, dependent on the implemenation
> and where/how
> the ACL(s) is/are applied this solution could be cheaper and
> simpler (I know I've
> opened myself up to all of those who are going to tell me how
> well they've
> implemented their ACLs ;^).

Sounds reasonable to me.  I don't see any harm in publishing
this document.  What is the status that this document is
seeking ?  Informational or BCP ?

Regards
Mukesh