We're considering opening a tunnel through our firewall for MBONE, which
uses encapsulated IP to move multicasts over nonmulticast networks.
We'd like to use an SGI machine as our tunnel endpoint, and the question
arises what security holes are we opening up.
Some time ago Shawn Instenes sent a message to the firewalls list
addressing MBONE through firewalls, and explained that at least the
Sun implementation to support encapsulated IP dropped any
non-multicast encapsulated packets. Unfortunately there doesn't seem
to be source available for the SGI implementation, so I can't verify
if it works similarly.
Does anyone know how SGI's handle encapsulated IP? If they do accept
non multicast encapsulated IP, can I at least prevent it from forwarding
it to other hosts on my network by turning off ipforwarding?
Thanks,
Bob Schwartzkopf
bobs @
rand .
org
|
|
