On Mon, Apr 2, 2012 at 7:33 PM, Adam Tauno Williams
<awilliam@xxxxxxxxxxxxx> wrote:
> On Mon, 2012-04-02 at 09:59 -0500, Les Mikesell wrote:
>> On Mon, Apr 2, 2012 at 9:39 AM, Peter Eckel <lists@xxxxxxxxxxxx> wrote:
>> > When there really is a requirement that the external server allows
>> only a single address to access it and that can't be changed, you
>> could resort to using a proxy.
>> What is typical or reasonable for source address restrictions?
>
> To dispose of them; they are hopelessly pointless. If you want to
> authenticate the source use PKI.
>
> I know they exist and have personally had to deal with them. That
> doesn't imply they make any kind of sense.
>
>> That
>> is, if there are 2 global organizations, and one wants to increase
>> the security on access to a service by limiting to the source
>> addresses that might come from the other, is there a sane way to
>> specify it, and to make the application use those addresses at the
>> right times if the interface has others?
>
> If two organizations want to communicate, exclusively and privately,
> with each other they should establish a tunnel.
This isn't a one-to-one relationship, it is an assortment of
data/service subscriptions among an assortment of providers and
consumers. There's normally password protection as well but many have
a small list of permitted source addresses associated with the account
to reduce the risk of password sharing and give some protection
against DDOS attacks. It seems reasonable to expect the same with
IPv6 if there is a way to do it.
--
Les Mikesell
lesmikesell@xxxxxxxxx
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
