Date: Fri, 16 Feb 2001 13:00:55 -0600
From: [EMAIL PROTECTED]
Message-ID: <B9CFA6CE8FFDD211A1FB0008C7894E4603063C6B@bseis01nok>
| butunlike the other two uses yours has alternatives like using IPsec.
| yours is a weaker reason for them as the reason was for private addresses in
| IPv4.
Jim, I agree with you on that. I also half suspect though that it will
be the dominant reason, weak or not.
That is, for the vast majority of sites, that kind of "security" is so
simple that it is attractive, and while security by filtering isn't
generally nearly as good as security by authentication, in this particular
case (making a couple of semi-reasonable assumptions) it might almost
be better.
That is, the assumption is that anyone within the site is entitled to
get access to the fileserver, and that the information there is generally
(within the site) public - but it isn't supposed to be available outside
the site (if you want, imagine the reason for this is that the server
cannot handle the load).
Using ipsec techniques requires key distribution, with the possibility that
the key might be made known more widely than had been intended, allowing
outsiders access to the server. Site local addresses require none of that
(simpler to administer) and the routers (with no special configuration at
all) enforce access.
Furthermore, the usual problem with firewall security - that once security
is broken anywhere it is broken everywhere isn't relevant here, as even
using ipsec, everyone inside the site is allowed access to the server
anyway, so if an intruder manages to get an an internal host, then whatever
security method is being used, they have access to the server.
With all this, I kind of suspect that Rich may have hit the most pressing
demand for site locals right on the head - and I also guess that's why
his implementation has (slightly) jumped the gun and picked a method to
use the things, even if it probably isn't really a good choice.
kre
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
