[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
About dest MAC@
Still some thoughts about filtering and the need of MAC@:
- If the IRD is a Host, indeed MAC filtering is not needed (it may of
course improve the receiver capacities), but IP level filtering is
enough
- If the IRD is itself a router, there is still the case (that may be
of (most?) common usage ??) that the network behind it is a
leaf-network, and by no mean a transit network. In this case, the router
acts as a CPE, and usually "knows" what is behind him, let's say
my_site_prefix::/48. The firewall rule with something like
100 deny ipv6 from any to !my_site_prefix::/48 via dvb0 in
will give the needed filering, without any MAC address needed.
or even a mechanism based on the redirect-conditions, I mean if this is
a CPE, it will have a typical ::/0 route through the logical dvb
interface (that can use SPCP, RCS, whatever mean for the return link),
and a packet not addressed to a host present in the site will be
naturally forwarded through the dvb interface, which is a potential case
for a redirect (i.e. sam ingoing/outgoing interface).
If the interface is configured with a feat such as :
- if the redirect conditions matches, then DROP packet silenly
It will perform the same filtering as abiven but without the /48
delegation stored into a firewal rule (sort of RPF check), which is even
more cool.
Your thoughts ?
Regards.
Alain.
--
Alain RITOUX
Tel +33-1-39-30-92-32
Fax +33-1-39-30-92-11
visit our web http://www.6wind.com