On Wed, 30 Oct 2002, Hesham Soliman (EAB) wrote: > > > >.. thus making the argument about the ease of use pretty > > much irrelevant > > > >IMO .. > > > > > > Exactly. > > > > > > It makes any argument that site-local filters are more "secure" > > > than global filters pretty much irrelevant, too... > > > > > > If you can compromise the edge router and change its > > configuration, > > > you can get either intra-site global or site-local traffic to be > > > forwarded outside of the site. > > > > Totally agree; but I'd also add a simpler case: someone forgot to > > explicitly configure (or like I did, when reading the spec > > -- assumed that > > it should get done automatically) the site scope in the > > edge router(s). > > Whoops! > > > > Watching the amount of spoofed traffic nowadays, most of > > which could be > > prevented by proper filtering, doesn't give me any reassuration that > > people would actually do this too.. and then wonder why > > their private > > site-local address space has been compromised.. > > => Are you saying that site-local traffic would start > leaking outside the site and routed globally? > As in transient ISPs will just forward it?
Of course the ISP's will forward them -- they (probably) haven't been configured to be part of any sites (remember the two interpretations of the MUST NOT forward paragraph earlier). -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
