ip6tables and multiple possible source addresses
Ivan Shmakov
oneingray at gmail.com
Wed Jan 18 14:03:35 CET 2012
>>>>> Gert Doering <gert at space.net> writes:
>>>>> On Tue, Jan 17, 2012 at 05:04:00PM -0800, Tom Perrine wrote:
>> When writing a host-specific ip6tables rule, which address do you
>> need to list? All of the possible Global Scoped addresses?
> Maybe this is an indication that host-specific ipv6 firewall rules
> for "only certain hosts in an otherwise non-trusted /64 subnet" is a
> stupid idea right from the start...
> Of course it's completely unheard-of that evil host A could imperson
> trusted host B's address to circumvent these rules.
I tend to agree with that. It makes little sense to use IP
addresses for authentication nowadays, as, e. g., Kerberos and
X.509-based authentication allow for way more secure and
flexible operation.
--
FSF associate member #7257
More information about the ipv6-ops
mailing list