>> Michel Py wrote: >> On the other hand, considering that a typical IPv6 will _not_ feature >> IPv6 NAT, an IPv6 host that has _only_ a site-local address would have >> an extra layer of protection against external attacks as it would not be >> reachable at all from the outside.
> Bill Sommerfeld wrote: > I see this as a distinction without a difference -- if the site has > some systems running a global p2p network's software with external > connectivity, and that p2p network is cracked, the site will be > vulnerable to attacks relayed through the p2p network. > if one system within the site has external connectivity and is part > of the compromised p2p network, any system at the site will now be > open to attacks from the compromised system. I don't know on which planet you are living, but on earth a system that has no direct access to the outside is more secure than a system that does; this is called a fact, not a distinction. Security is the sum of different things, including passwords, firewalls _and_ preventing direct access from the Internet. > If there is widespread deployment of systems with site-local only > addresses, this will in turn drive the creation of ipv6 NAT > specifically to give them external connectivity.. That looks like a solution without a problem. To give these hosts connectivity you just have both the site-local and the global address. Since NAT would not bring anything to the table why implement it in the first place? Michel. -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
