Brian, The argument that globals don't benefit firewalls is not true. In Digital we ran globals company wide and now in HP. The Firewall is there for sure. But the algorithms are to check security parameters coming in and other filtering rules the translation and mappings and data structure lookups and the duplicate data paths are not needed. In addition with Ipsec it will make the firewalls even faster because now all the many filters are not needed because the SA between two nodes or an extranet router can do Ipsec verification.
So the technical ability of globals to pass through firewalls is far better and I believe an order of magnitude not just basic perf gain. In addition philosophically private addresses are simply not wise. But won't go there yet again. But IPv6 does not need SLs today at all and they definitely should not put large mission critical operations at risk with IPv6 at all. /jim [Have you ever seen the rain coming down on a sunny day] > -----Original Message----- > From: Brian Zill [mailto:bzill@;microsoft.com] > Sent: Tuesday, October 29, 2002 12:59 AM > To: Margaret Wasserman > Cc: [EMAIL PROTECTED] > Subject: RE: Limiting the Use of Site-Local > > > > Margaret Wasserman writes: > > > > Private addressing does not provide any time of security that > > cannot be obtained (and more easily, in most cases) by > > appropriate configuration of firewalls or filters on routers. > > So are you advocating that people use global addresses with a > firewall and/or filters to block outside connectivity for > part of their address space? Doesn't that just create a > weird form of private address space? And worse (since it is > not officially sanctioned) one that applications can't recognize? > > One advantage of having scoped addresses defined in the IPv6 > architecture from the start is that applications can know not > to pass them outside of their scope. If we instead suggest > that people firewall/filter off random portions of the global > address space, then apps will blindly pass those addresses > around in the data stream, mistakenly thinking that they are > real global addresses. Only having dedicated scoped address > space allows apps to do the right thing. > > --Brian > > > -------------------------------------------------------------------- > IETF IPng Working Group Mailing List > IPng Home Page: http://playground.sun.com/ipng > FTP archive: ftp://playground.sun.com/pub/ipng > Direct all administrative requests to [EMAIL PROTECTED] > -------------------------------------------------------------------- > -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
