> Ralph Droms wrote: > Regarding "Routers must not forward any packets with site-local source > or destination addresses outside of the site." [RFC 2373] (note lower > case for "must not"): the problem is not so much a vendor problem as > a deployment problem. A router can't know when it's forwarding a > packet outside of a site unless it's been configured with information > about site borders. So network architects and admins have to define > what makes up sites and configure the routers at the borders to know > about those site borders.
Exactly. > I don't see much difference between RFC 1918 addresses and site-local > addresses in the areas of network design and deployment... The difference is that an RFC 1918 host is likely to have access to the outside world through NAT, when a site-local only v6 host is _not_. And we all agree that the "security" provided by RFC 1918 addresses is a joke, mostly because of the presence of NAT. In the v4 world, it is typical to have only one v4 address per host interface, and therefore where there is RFC 1918 addresses you can bet there is NAT nearby. The v6 situation is different: One does not need NAT to access the outside and use site-local at the same time. Therefore, one of the reasons people would use site-local addresses is for security reasons, and not a by-product of not having enough v4 addresses. The question Steve Bellovin was asking (if I interpret it correctly) is more or less "does anybody need site-local addresses anyway?". I do. Michel. -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
