On Wed, 30 Oct 2002, Margaret Wasserman wrote: > > > You can't hardcode site-local address filtering in every router, > > > or you won't be able to communicate inside a site. > > > > > > So the router will need to be configured, somehow, to block > > > site-local addresses from being forwarded from one interface > > > to another. And that configuration isn't any more inviolate > > > than a traditional forwarding filter. > > > >To (try to) clarify: the SL filters can be defined by hardcoding them > >(basically just two trivial access-lists for example), but they cannot be > >_enabled_ except manually or by some rather complex logic. > > > >.. thus making the argument about the ease of use pretty much irrelevant > >IMO .. > > Exactly. > > It makes any argument that site-local filters are more "secure" > than global filters pretty much irrelevant, too... > > If you can compromise the edge router and change its configuration, > you can get either intra-site global or site-local traffic to be > forwarded outside of the site.
Totally agree; but I'd also add a simpler case: someone forgot to explicitly configure (or like I did, when reading the spec -- assumed that it should get done automatically) the site scope in the edge router(s). Whoops! Watching the amount of spoofed traffic nowadays, most of which could be prevented by proper filtering, doesn't give me any reassuration that people would actually do this too.. and then wonder why their private site-local address space has been compromised.. (Note that the above clarification implicitly considered multi-sited routers out of scope: they will both have to be manually defined and manually taken to use. Even the simple case is so difficult to do properly.) -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
