On Tue, 29 Oct 2002, JINMEI Tatuya / [ISO-2022-JP] 神明達哉 wrote:
> (Note: this message is not directly related to the main point of this
> thread.)
>
> >>>>> On Tue, 29 Oct 2002 08:51:12 +0200 (EET),
> >>>>> Pekka Savola <[EMAIL PROTECTED]> said:
>
> > I'm not even sure if we could get addrarch to draft standard, have folks
> > implemented these two:
>
> > --8<--
> > Routers must not forward any packets with site-local source or
> > destination addresses outside of the site.
> > --8<--
>
> > None of the implementations I use certainly haven't, and this has been
> > around for a time now, even since RFC1884..
>
> KAME can do this.
Note that KAME only supports this through manual configuration (and a
fix) -- clarified in off-the-list discussion.
To be compliant with the paragraph:
Routers must not forward any packets with site-local source or
destination addresses outside of the site.
Note: it does not say 'packets from the site' (implying configuration of
the site) but 'with site-local source'. That strongly implies explicit
configuration will not satisfy.
I expect an implementation must automatically, without any configuration,
drop e.g. packets received under the following steps:
1) a router is configured to advertise a site-local prefix
2) a node configures a site-local address and starts sending out traffic
3) router drops it or forwards it (using some logic).
Or even:
1) node just blindly configures fec0::1 and starts sending traffic using
it, testing how far it will go.
A valid scenario here could be that site-locals would be used inside one
link only -- no config at all in the router -- but the route must disallow
propagation of site-locals through default route if something fails.
You may ask: how is this possible? we don't have any site-border
discovery mechanisms?
I say: exactly, that's why the paragraph is so ridiculous!
The only easy and compliant implementation I could think of would be
discarding all site-locals unless some links are explicitly configured to
be part of a site.
(Note: one could use some logic, e.g. require all interfaces where
site-local traffic is valid must have site-local addresses to
auto-discover the border between globals and site-locals.. but that would
have quite a few assumptions I believe)
--
Pekka Savola "Tell me of difficulties surmounted,
Netcore Oy not those you stumble over and fall"
Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
