>Geez, lets look at other sysctl's which can be replaced with IP Filter:
>
>net.inet.ip.directed-broadcast
>net.inet.ip.forwsrcrt
>net.inet.ip.allowsrcrt
>net.inet.ip.redirect
>net.inet.ip.forwarding
>net.inet.icmp.maskrepl
>
>Why not just enable each of the above and control it through packet
>filter lists in IP Filter ?

yeah...but then the "generic" solution is replaced by a different set
of filter rules for *everyone* that needs to be changed as addresses
come and go.  perhaps i'm a weird one, but i'm constantly adding and
removing addresses.  that's one of the hazards of using a laptop.  and
the laptop *is* under some circumstances, actually used as a router.

as an extreme example...to defend myself against udp/echo spoofing
attacks, i could come up with filter rules to block them out.  or i
could simply turn off the service.

and now that i've jumped into this thread :), i'd like to point out
that under the best situation, the "strong-endedness" aspect would be
best applied on an address by address basis.  on the bgp system that
paul mentioned, one would certainly want 127.1 on lo0 to be a "strong"
address even if the advertised bgp address on the same interface was
not.

i don't know all that much about how the packets travel through the
kernel (i'm just a caveman...your scientists thawed me out. :), but i
can't see that it would be that difficult to make changes to check (a)
is this address marked strong and if so (b) did this packet arrive on
the correct interface?

the only trouble i see (so far) is frobbing the "strength" of an
individual address on an interface after that interface is up and in
use (and has more than one address).

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
andrew@crossbar.com       * "information is power -- share the wealth."