On Sun, 9 Jun 2002, Bill Sommerfeld wrote: > > - With an RFC 1918 host behind a firewall, compromising the firewall is > > enough to grant that host outside access. Single point of failure. > > > > - With a site-local only host behind a firewall, this become a double > > hack thing: you need to reconfigure the firewall _and_ reconfigure the > > host to give it a public IP. > > Why do you believe this makes a difference? Wouldn't site-local > traffic be just as likely to leak into an ISP as RFC1918 traffic? > Better isp's will filter it out in their border routers; others won't > bother.
Well, addr-arch states that routers MUST drop traffic with site-local source address at the edge of a site. But as site is rather vaguely defined, I think many vendors just skip this little detail.. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
