In message <199811120932.LAA11933@myrtle.proxima.alt.za>  Lucio de Re wrote:
> According to Alan Barrett:
> > 
> > Or mark individual IP addresses `strong' or `weak'; see below for
> > justification.
> > 
> > [ explanation omitted ]
> 
> I find Alan's suggestion very seductive.  In particular, Ted Lemon has 
> often complained that it is impossible to determine on which interface 
> a packet has "originated", which Alan's suggestion of keeping around 
> the associated interface ID for each "strong" IP number may assist in 
> determining.

You have to very careful with routes, because the basic assumption is always
that a systems routes at least internally. If you use it for a firewall
system on seperated networks, you can get the same result by using ipf.
The security gain is not too much compared to ipf (eg. I can still send
a icmp redirect and routing is still based on destination address, so
data can go out the wrong interface just because the route to the destination 
address is on the wrong network ).

The fix for that is to run different multiple IP-subsystems in a 
system. I do have that code, I'll try and see if I can release it.
A temporary fix is to use ipf (and faster system because it eats
more resources).

Stefan


> 
> ++L
> 

--
Stefan Grefen                                Tandem Computers Europe Inc.
grefen@hprc.tandem.com                       High Performance Research Center
 --- Hacking's just another word for nothing left to kludge. ---