On 10/1/18 2:43 AM, Mike Manning wrote: > There is no easy way currently for applications that want to receive > packets in the default VRF to be isolated from packets arriving in > VRFs, which makes using VRF-unaware applications in a VRF-aware system > a potential security risk.
please drop that paragraph from the commit message. It is misleading and wrong. Without VRF I can start ssh bound to wildcard address and port 22 allowing connections across any interface in the box. If I do not want that sestup, I have options: e.g., bind ssh to the management address or install netfilter rules. The same applies with VRF as I mentioned in the v1 review. You not liking the options or wanting another option is a different reason for the change than claiming the current options are a security risk.
