> You can't hardcode site-local address filtering in every router,
> or you won't be able to communicate inside a site.
>
> So the router will need to be configured, somehow, to block
> site-local addresses from being forwarded from one interface
> to another. And that configuration isn't any more inviolate
> than a traditional forwarding filter.
To (try to) clarify: the SL filters can be defined by hardcoding them
(basically just two trivial access-lists for example), but they cannot be
_enabled_ except manually or by some rather complex logic.
.. thus making the argument about the ease of use pretty much irrelevant
IMO ..
Exactly.
It makes any argument that site-local filters are more "secure"
than global filters pretty much irrelevant, too...
If you can compromise the edge router and change its configuration,
you can get either intra-site global or site-local traffic to be
forwarded outside of the site.
Margaret
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
