[rbridge] TTL only - was RE: New fields in shim header?
Eric.Gray at marconi.com
Fri Oct 13 09:01:38 PDT 2006
I agree with Joe, and - to add to what he says - the entire RBridge
domain must fall within a single administrative domain. Consequently,
and such filtering can (and most reasonably would) be done at ingress.
However, as Joe's comment indicates, it is always possible to do this
filtering based on the "inner" header. Therefore, it is easy to see
that we can treat this concern as "out of scope."
Joe Touch wrote:
> Silvano Gai wrote:
> > In today Ethernet I can write an ACL on the pair Source, Dest MAC
> > address, and many network managers find this extremely useful, but I
> > will not be able to do that on the RBridge addresses, if I have only
> > one.
> > When an RBdridge receives a unicast frame, with the current proposal it
> > cannot screen it according to the ingress RBridge and this is a big
> > security hole.
> That's trivial to spoof, so it's not a security issue per se. If there
> is any filtering based on an address, it ought to be at the inner
> address (which is already paired) anyway. If this is just for ACLs, it
> seems like a thin reason.
... [SNIP] ...
More information about the rbridge