[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
address-based ACLs [WAS: peername + openldap 2.2.4]
On 7 Jan 2004 at 20:12, Pierangelo Masarati wrote:
[snip]
>
> but a radically better solution would be to use a more
> reliable ACL policy than one based on the IP of the
> client.
>
[snip]
Pierangelo, I am curious: what would you consider "more reliable" than using
the IP address in access controls?
I am on an IANA-legal pure-IP network with strong ingress and egress filtering
at the edge routers. For me, IP address is an extremely reliable method of
determining if a connection originated "inside" my physical area of control.
Users cannot be trusted to keep their passwords secure, and anything else might
be spoofed by a reasonably clever person.
--Charlie