Margaret,
[you have not adressed the security issues?]
> I am _not_ operating under the assumption that all
> globally-unique addresses will appear in global routing
> tables. If I want to have a private network, I should
> be able to get a globally unique (routable, but _not_
> necessarily globally routed) address, and _not_ have my
> ISP advertise that prefix into the global routing tables.
Problem is, nobody has bought this yet, because these addresses are PI,
whatever you might call them, and will be misused and leaked to the
defaultless table one day or the other, especially in the lack of a
multihoming solution.
> I actually _agree_ that it would be better if I could
> obtain provider-independent global addresses. But
> perhaps that is a different fight for a different
> day...
I have co-authored a draft on the topic, but it's not going anywhere
anytime soon; in the meantime, deployment of Ipv6 needs *something*
comparable to site-locals, or else people will hijack prefixes anyway.
> Site-local addresses could continue to be useful in
> networks that are not routed (at all) to the global
> network. This would include isolated sites, non
> Internet-connected sites within cars and planes, etc.
This needs to be clarified. How many "networks" or "sites" is the
diagram below, not including the ISP nor the first router that I
included only for reference purposes?
<------------------- Global Addresses ---------------><-- SL addr -->
+-----+
| ISP |
+--+--+
!
+--+-------+ +----------+ +----------+ +----------+
| Router A +--+ Firewall +--+--+ Firewall +--+--+ Router B +----+
+----------+ +----------+ | +----------+ | +----------+ |
| | |
+---+--+ +--+---+ +----+----+
| DFZ | | Host | | Control |
| Host | +------+ | Device |
+------+ +---------+
<---------------------- Network ---------------------->
In my reading, one. I am all for a draft or something that says that the
part that has SL addresses can never talk to anybody past the outside
firewall, but it needs to talk to the regular hosts that have global
addresses between the first firewall and router B, and possibly to the
DFZ hosts.
What concerns me is that this network would not be considered an
isolated network. Without getting in the details of stack implementation
and scopes, it does not appear impossible to me to have the two sides
communicate. I have configured many IPv4 sites that would match the
diagram above, replacing SLs with RFC1918, that did not have NAT, and
where the network's internal routing table contained both public and
private addresses. Someone still has to explain me what's wrong with the
picture above.
Michel.
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
