> :-) > > Sorry if my note seemed condescending or something... I > didn't mean it that way.
=> oh no I didn't interpret it that way, I just wanted to make sure that we talk about the same thing. > >The point was: using tunnelling to evade scope boundaries. > >This can be done in a zillion ways for different addresses, > >if we're not careful how the tunnel is setup or if a malicious > >node is inside the site and can fool the firewall (if one exists). > > I completely agree... > > The current discussion is (I think) attempting to compare the > security implications of two ways of addressing a private > network: > > - Using site-local addresses that are filtered at > an SBR due to site configuration. > - Using global addresses that are filtered at the > border of the private address space using > routing filters. > > In neither case would the addresses being used on the private > network appear in global routing tables. > > I still don't really understand why these cases are substantially > different in terms of security... => I think that if you put Tony Hain's email together with Rich Draves' last email, you would get a good idea about why it's better and what the "default" should be. I think they both make sense. For a host, I think that the default should be 1 site per interface. Not that I'm claiming to be > a security expert or anything, but I would like to understand > what the difference are, if any. => Sure, I think most of the mails on this thread are clarifying this. Hesham -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
