| | | | | | | | |
|
|
|
You're here: Home |
"Craig A. Huegen" wrote: > > On Wed, 21 May 2003, Michel Py wrote: > > > Yep. In the end, a specific announcement being filtered and sending the > > traffic to a different entry point than it should have results in paying > > three times transit for the traffic: > > ...keep in mind that this breaks stateful firewalling too, unless state is > shared across the entire network (which is pretty significant when > you're talking about passing and replicating messages for every single > connection out of the network). And people wonder why we say that state is evil, and distributed state is more evil. I don't think we should design policy for stateful firewalls. I think we're drifting away from the question of what the policy should say. The point, I think, was to ease the wording to allow for giving /32s in any case where common sense would allow it. Brian
