> Bob Hinden wrote: > 3) Keep site-local and allow full usage Personally, I do not see a reason not to continue in this direction (3).
There is something that bugs me, though. Last time I read it, the allocation was as follows: Link-local unicast 1111111010 FE80::/10 Site-local unicast 1111111011 FEC0::/10 I wonder if it would be wise to change it to: Link-local unicast FE80::/64 Site-local unicast FEC0::/48 Not so much to save space, but to prevent people from doing terrible hacks with these unused bits between 10 and 47. > Steve Bellovin wrote: >Finally -- and perhaps least important -- I'm not sure what problem >they solve. I can understand site-local multicast, since (most) >inter-site traffic traverses links that are not inherently >multicast-capable. There is thus considerable extra expense. But why >do I need site-local unicast addresses? I think there still are some situations where they can improve security. There is a main difference between an IPv4 RFC1918 address and an IPv6 site-local address: IPv6 NAT does not exist. And even if it does, it is not mainstream setup. The false sensation of security provided by RFC1918 is false because it is extremely likely (today) that an RFC1918 host can reach the outside Internet through NAT. The outbound-only firewall is a false idea of security as well since 2nd generation peer-to-peer software such as Morpheus can easily bypass firewalls and allow ingress connections to RFC1918 hosts. NAT does make RFC1918 hosts reachable from the Internet. On the other hand, considering that a typical IPv6 will _not_ feature IPv6 NAT, an IPv6 host that has _only_ a site-local address would have an extra layer of protection against external attacks as it would not be reachable at all from the outside. Michel. -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
