On Wed, Sep 06, 2006 at 03:02:44PM -0400, Thor Lancelot Simon wrote:
> On Wed, Sep 06, 2006 at 01:26:44PM -0500, David Young wrote:
> > 
> > As Mihai said, you can still bind any address you like.  It would be easy
> > to extend the source-selection patch so that it considered addresses on
> > interfaces other than the output interface, however, I leave that up to
> > somebody else.
> 
> If you do this, please _do not_ make such behavior the default; you might
> consider making it emit a warning.  This takes us even further away from
> the strong host model preferred by most network security folks, and
> required by policy in some environments (I have personally had to patch
> NetBSD kernels to enforce strong host semantics before a client's security
> staff would allow them to be run on their network).

If anybody is interested in doing this work, I may be able to help.
Somewhere I have some notes on where to enforce strong-host semantics
in the kernel.

Dave

-- 
David Young             OJC Technologies
dyoung@ojctech.com      Urbana, IL * (217) 278-3933