On Thu, 31 Oct 2002, Hesham Soliman (EAB) wrote: > > > => Are you saying that site-local traffic would start > > > leaking outside the site and routed globally? > > > As in transient ISPs will just forward it? > > > > Of course the ISP's will forward them -- they (probably) > > haven't been > > configured to be part of any sites > > => Forward them where?? I can't imagine BGP not filtering > SLs coming from the downstream customers. Regardless > of what the spec says.
BGP is not the point. Consider e.g.: [attacker] --- [internet] ---- [ISP] --- [customer w/ site locals] Now the attacker can send packets with a fec0::/10 source address to the customer -- no one will block them unless they're explicitly configured as site borders -- before the customer itself. And if the customer does not block them, we're in for very serious trouble. That seemed to be what everyone except me read the ADDRARCH paragraph to imply. I thought attackers first-hop router (or at the latest, attackers edge router) should block these packets automatically. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
