Margaret, > >I didn't say anything about site-locals and security > >and I didn't ask what link-locals are for. I said > >that you can create a tunnel to take link-locals > >beyond a link, so the problem is not specific to > >site-locals. > > Actually, I think that there are some important differences > between link-locals and site-locals.
=> I hereby declare to the ML that I completely agree that link-locals and site-locals are different :) The point was: using tunnelling to evade scope boundaries. This can be done in a zillion ways for different addresses, if we're not careful how the tunnel is setup or if a malicious node is inside the site and can fool the firewall (if one exists). Just making sure that we're talking about the same thing. Hesham > > A router might (and probably should) be hard-coded not to > forward link-local packets, as there is no reason to ever > forward them. > > However, a router that might ever need have multiple interfaces > in a single site can't be hard-coded not to forward site-locals. > Whether or not they will be forwarded is the result of > configuration. > > There is another important difference that doesn't relate > directly to security (as far as I know): site-local prefixes > are advertised by routers, and they differ from link to link > (different subnet IDs), whereas the link-local prefix is a > single constant. > > Margaret > > -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
