Brian Lloyd <brian @
# I agree Lars, but it is even simpler than that. We just need to convince
# router manufacturers what is necessary and sufficient for specifying filter
# rules. It has been *VERY* difficult to get router manufacturers to listen.
Right. I'm willing to cope with differences in specification syntax
and semantics, as long as I can specify roughly the same things.
# Atomic filters specs for IP/TCP/UDP need to encompass the following
# 1. Interface
# 2. Direction (inbound/outbound on interface)
# 3. Source IP address
# 4. Source IP address mask
# 5. Destination IP address
# 6. Destination IP address mask
# 7. Protocol (UDP, TCP, ICMP, etc.)
# 8. Source port [range]
# 9. Destination port [range]
# 10. Pass/reject the packet if it matches the filter
# For ICMP you need to substitute the following for 8 & 9 above:
# 8'. ICMP message type
# 9'. ICMP message subtype
This is, I believe, a correct "least common denominator" that I'd be
absolutely thrilled if all vendors implemented.
# To construct rule sets you need to order the atomic filter specs. Due to
# possible undesired interactions the filter "builder" needs to be able to
# order the atomic filter rules to produce the final rule set.
This is an absolutely critical point. Building filters is already
hard enough; I don't need the vendors to "help" me by making me
second-guess what order their router is going to apply my rules in.
Brent Chapman Great Circle Associates
COM 1057 West Dana Street
+1 415 962 0841 Mountain View, CA 94041