Regarding "Routers must not forward any packets with site-local source or destination addresses outside of the site." [RFC 2373] (note lower case for "must not"): the problem is not so much a vendor problem as a deployment problem. A router can't know when it's forwarding a packet outside of a site unless it's been configured with information about site borders. So network architects and admins have to define what makes up sites and configure the routers at the borders to know about those site borders. And, I don't think there's a good way to define default behavior or auto-discovery for site-local addressing...
I don't see much difference between RFC 1918 addresses and site-local addresses in the areas of network design and deployment... - Ralph At 09:04 AM 6/9/2002 +0300, Pekka Savola wrote: >On Sun, 9 Jun 2002, Bill Sommerfeld wrote: > > > - With an RFC 1918 host behind a firewall, compromising the firewall is > > > enough to grant that host outside access. Single point of failure. > > > > > > - With a site-local only host behind a firewall, this become a double > > > hack thing: you need to reconfigure the firewall _and_ reconfigure the > > > host to give it a public IP. > > > > Why do you believe this makes a difference? Wouldn't site-local > > traffic be just as likely to leak into an ISP as RFC1918 traffic? > > Better isp's will filter it out in their border routers; others won't > > bother. > >Well, addr-arch states that routers MUST drop traffic with site-local >source address at the edge of a site. > >But as site is rather vaguely defined, I think many vendors just skip this >little detail.. > >-- >Pekka Savola "Tell me of difficulties surmounted, >Netcore Oy not those you stumble over and fall" >Systems. Networks. Security. -- Robert Jordan: A Crown of Swords > >-------------------------------------------------------------------- >IETF IPng Working Group Mailing List >IPng Home Page: http://playground.sun.com/ipng >FTP archive: ftp://playground.sun.com/pub/ipng >Direct all administrative requests to [EMAIL PROTECTED] >-------------------------------------------------------------------- -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
