Subject: Re: [patch] source-address selection
To: None <tech-net@NetBSD.org>
From: David Young <firstname.lastname@example.org>
Date: 09/06/2006 17:55:32
On Wed, Sep 06, 2006 at 03:02:44PM -0400, Thor Lancelot Simon wrote:
> On Wed, Sep 06, 2006 at 01:26:44PM -0500, David Young wrote:
> > As Mihai said, you can still bind any address you like. It would be easy
> > to extend the source-selection patch so that it considered addresses on
> > interfaces other than the output interface, however, I leave that up to
> > somebody else.
> If you do this, please _do not_ make such behavior the default; you might
> consider making it emit a warning. This takes us even further away from
> the strong host model preferred by most network security folks, and
> required by policy in some environments (I have personally had to patch
> NetBSD kernels to enforce strong host semantics before a client's security
> staff would allow them to be run on their network).
If anybody is interested in doing this work, I may be able to help.
Somewhere I have some notes on where to enforce strong-host semantics
in the kernel.
David Young OJC Technologies
email@example.com Urbana, IL * (217) 278-3933