[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: address-based ACLs [WAS: peername + openldap 2.2.4]
> On 7 Jan 2004 at 20:12, Pierangelo Masarati wrote:
> [snip]
>>
>> but a radically better solution would be to use a more
>> reliable ACL policy than one based on the IP of the
>> client.
>>
> [snip]
>
> Pierangelo, I am curious: what would you consider "more reliable" than
> using the IP address in access controls?
strong auth, where strong depends on your taste.
>
> I am on an IANA-legal pure-IP network with strong ingress and egress
> filtering at the edge routers. For me, IP address is an extremely
> reliable method of determining if a connection originated "inside" my
> physical area of control. Users cannot be trusted to keep their
> passwords secure, and anything else might be spoofed by a reasonably
> clever person.
Including IPs :)
p.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it