hello paul (long time since we have talked),
> > Common where? Yes for firewalls and extranets I agree.
> But that is not
> the
> > same paradigm as two face dns for sitelocal addresses as an
> implementation.
> > Two different beasts all together. And the world is not
> good today to
> with
> > all the NAT and Tunnels it is horrible we should be careful to not
> propogate
> > such behavior whenever possible with IPv6.
> >
>
> So Jim, in the absense of two-faced DNS how do you think a host should
> decide whether it should use site-local for another host, or
> do you think
> using site-local addresses is a bad idea?
>
Its no secret I think site-local addresses are a bad idea and have not
decided how to even find something good about them in the book I am writing
about IPv6. But we are stuck with them and we need to use them very
carefully and put limitations on there use like we do handguns in the U.S.
or have health warnings for them for users like the sign I have in the back
of my woods "Nevermind the Dog beware of the Owner". They should only be
exposed within a site. They should never be used as a source address to any
dst address of greater scope under any circumstances. If we could get all
to follow these simple precepts they may not poison the innocent users
adopting IPv6 who are duped to use them under the guise of the ill-begotten
mantra of dynamic renumbering, who should be able to use global IPv6
addresses without ever having to use anything else for peer to peer
application communications. But the solution I would provide to a customer
if I was an IPv6 Consultant who insisted on using them is to not permit
multisited servers across site boundaries for DNS at all. Any multisited DNS
servers (or DHCPv6 servers) should never be deployed and support site-local
addresses as RRs or IP addresses for assignment. If a server is multisited
(wire to two different site logical points) it only supports global
thingees. This just eliminates the problem.
I do think site-local addresses may be useful for traffic engineering or
routing exchanges within a site or multisite boundary but that is work for
further study. But for peer to peer apps end-2-end, etc for applications
folks run their business on they are unacceptable just so folks have
renumbering. The business and administrative trade-offs are not worth and
also I could show same customer how to renumber their network with global
IPv6 addresses with tools and specs we have today so saying there useful for
renumbering is bogus for me.
But as an engineer who builds products I will have to support this garbage
in the IPv6 architecture just like abusive tunneling protocols and NAT in
IPv4. But this garbage should not be propogated to customers servers that
are multisited.
Using the firewall and NAT argument is naive and not the same. I know this
from building shipping products and to support gateway mechanics at one
point in a network in a controlled box at the ingress/egress point of the
Intranet is far far different than supporting multisited servers across many
sites within an Intranet and control it. In theory and 10,000 foot level
discussions and maybe on some powerpoint weak architecture slideware it
appears to the the same but down where the grunts live building server
software and maintaing state machines for the database and shipping this
stuff its not the same thing at all.
regards,
/jim
regards,
/jim
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
