Subject: Re: [patch] source-address selection
To: David Young <dyoung@pobox.com>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: tech-net
Date: 09/06/2006 15:02:44
On Wed, Sep 06, 2006 at 01:26:44PM -0500, David Young wrote:
>
> As Mihai said, you can still bind any address you like. It would be easy
> to extend the source-selection patch so that it considered addresses on
> interfaces other than the output interface, however, I leave that up to
> somebody else.
If you do this, please _do not_ make such behavior the default; you might
consider making it emit a warning. This takes us even further away from
the strong host model preferred by most network security folks, and
required by policy in some environments (I have personally had to patch
NetBSD kernels to enforce strong host semantics before a client's security
staff would allow them to be run on their network).
--
Thor Lancelot Simon tls@rek.tjls.com
"We cannot usually in social life pursue a single value or a single moral
aim, untroubled by the need to compromise with others." - H.L.A. Hart