I didn't say anything about site-locals and security and I didn't ask what link-locals are for. I said that you can create a tunnel to take link-locals beyond a link, so the problem is not specific to site-locals.
Actually, I think that there are some important differences between link-locals and site-locals.
A router might (and probably should) be hard-coded not to forward link-local packets, as there is no reason to ever forward them. However, a router that might ever need have multiple interfaces in a single site can't be hard-coded not to forward site-locals. Whether or not they will be forwarded is the result of configuration. There is another important difference that doesn't relate directly to security (as far as I know): site-local prefixes are advertised by routers, and they differ from link to link (different subnet IDs), whereas the link-local prefix is a single constant. Margaret -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
