At 03:23 PM 10/30/02, Michel Py wrote:
> Margaret Wasserman wrote:
> If you can compromise the edge router and change its
> configuration, you can get either intra-site global
> or site-local traffic to be forwarded outside of the
> site.
Oh really? Maybe you can explain us how you would do that?
Let's see, by announcing FE80::/10 or FEC0::/10 to the peers. Problem
is, most of them are not that dumb and will filter it.
Or maybe, you have a special version of IOS that has IPv6 NAT in it so
it enables the host with a link-local address to communicate with the
outside.
So Margaret, tell us: How do you reconfigure a router to forward
site-local traffic to the outside?
It depends what you mean by the "outside".
If I am on a link that is attached to the SBR, but in another
site, I could reconfigure the router to consider my link as part
of the site.
If I am further away from the router, I could possibly configure
the router to tunnel site-local traffic across the underlying (v4
or v6) network.
Let me turn the question around... You have posited that the
use of site-local address is somehow more "secure" than using
a private global address range that is filtered in the router.
Why? What attacks would work in the latter case that wouldn't
work in the former case?
Margaret
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
