-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Havard" == Havard Eidnes <Havard.Eidnes@runit.sintef.no> writes:
    Havard> Hm, if I have understood what the "strong host model" is
    Havard> about, I think there is a place for a "strong router
    Havard> model" too.  The corresponding function in a router would
    Havard> be to refuse to forward a packet entering an interface if
    Havard> the router did not have a route for the source address in
    Havard> the packet pointing back out the same interface the packet
    Havard> entered on.
 
  This is often called ingress filtering. The method that you propose
to use is the correct one, but it needs to implemented properly. Given
that a strong router probably also wants to be a strong host, I
suspect it may be time to build (or extend the PCB hash) to handle
caching these decisions.

  [The company I'm currently working for, Solidum Systems actually
provides hardware to do this and other things, and we'll have a NetBSD
driver before Xmas for the card that will likely to exactly this as
its first sample application]

]     Internet Security. Have encryption, will travel           |1 Fish/2 Fish[
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |Red F./Blow F[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |strong crypto[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQBVAwUBNkZEZh4XQavxnHg9AQG8pwH/bVutJJBewJzcmGZMPGVuNbOFNuXEVYGO
PWWtz6QxO0xKBO5zcfCsybCiTqlcviR6o1Vduv8VOdyX3ZHUEHPf1A==
=ee0g
-----END PGP SIGNATURE-----