I think i was a little too subtle in my original post.
Denying external connectivity on a host-by-host basis is harder than
it looks, because if any system with external connectivity at any
layer is compromised, it can be used as a springboard to attack
"internal" systems which the firewall allegedly protects.
Site-local addresses add complication and do nothing that a site
couldn't do already by setting aside part of its address space to be
blocked at a firewall.
The belief that site boundaries will be configured correctly is
equivalent to the belief that site boundary firewalls will be
configured correctly.
- Bill
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
