Firewalls: Re: P50 summary

Firewalls
(July 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: P50 summary
From:	Matthew Keenan <matt @ firstpac . com . au>
Date:	Sat, 6 Jul 1996 13:59:48 +1000 (EST)
To:	gfm @ readybox . com (Frank McCormick)
Cc:	firewalls @ GreatCircle . COM
In-reply-to:	<199607050452 . VAA26650 @ angel . readybox . com> from "Frank McCormick" at Jul 4, 96 09:52:45 pm

Frank McCormick wrote this...

[snip]

> Source-routed packets and the Ascend P50
> ----------------------------------------

[snip]

> To be fair, Ascend's design choice -- kill before filtering -- is a
> reasonable one.  By definition, Ascend's static filtering rules are
> ill equipped to deal sensibly with variable-length option data.
> Source-routing options can, in practice, show up at differing
> offsets in the packets, whereas an Ascend-style "generic" filter can
> look only at fixed locations.

ahh so then you could turn on something like IP record route and your
filter wouldnt work anymore? (because the offsets are all "wrong")
someone have the tools/time to test this?

			Matt
-- 
Matthew Keenan    Network Administrator    First Pacific Stockbrokers
			  Sydney,  Australia

References:

P50 summary
From: Frank McCormick <gfm @ readybox . com>

Indexed By Date	Previous:	Re: Secure Virtual Intranets From: "Todd Glassey, Consultant" <tglassey @ earthlink . net>
Indexed By Date	Next:	Help me (DHCP) Dynamic host configuration protocol From: Martin Blouin <mblouin @ mat . ulaval . ca>
Indexed By Thread	Previous:	P50 summary From: Frank McCormick <gfm @ readybox . com>
Indexed By Thread	Next:	special case ips From: Robert Hanson <roberth @ cet . com>