Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!usc!snorkelwacker!bu.edu!bu-it!kwe From: kwe@bu-it.bu.edu (Kent England) Newsgroups: comp.protocols.tcp-ip Subject: Re: Security services in border GWs Message-ID: <58225@bu.edu.bu.edu> Date: 4 Jun 90 16:04:18 GMT References: <25040@usc.edu> Sender: news@bu.edu.bu.edu Reply-To: kwe@bu-it.bu.edu (Kent England) Organization: Boston University Lines: 40 In article <25040@usc.edu>, tsudik@pollux.usc.edu (Gene Tsudik) writes: > > The inadequacies of the gateway-based filtering have been discussed in a number > of recent messages. ... > > Phil Karn's point of view, there should be no such things as "unprotected " > end-systems in the first place. Alternatively, if there is a need to preclude > any kind of external access to strictly-internal end-systems, border > gateway-based mechanisms can be employed to restrict incoming traffic to > only exposed end-systems. This can be done with complete transparency to > the internal (unprotected) end-systems. > What is the essential difference between "routing" (including policy- based routing) and "access control lists"? Might the boundary be slightly fuzzy? It seems so to me, at least as far as ip-address is concerned. For example, if there is a stub domain connected to some transit routing domain, and the stub advertises routes for nets A and B to the transit net (and the transit accepts), should the transit network filter source addresses to exclude all sources except nets A and B? Source address filtering is currently considered to be part of "access control" and not of "routing" (at least it seems so to me from current implementations and Requirements RFCs). If the transit domain does not include source addresses in the routing decision, then the transit domain's routing policy can be overridden by the stub domain, through back-doors and side-doors. This is, of course, a current problem in the Internet. If one were to say that source address filtering at borders should be done, then I think we may have redefined a part of "access control lists" into "routing". Perhaps today's access control list feature is tomorrow's Router Requirement? (And so Gene and Phil are both right.) --Kent England Boston University