Hi Margaret,
> Margaret Wasserman wrote:
> I don't understand this picture:
<------------------- Global Addresses ---------------><-- SL addr -->
+-----+
| ISP |
+--+--+
!
+--+-------+ +----------+ +----------+ +----------+
| Router A +--+ Firewall +--+--+ Firewall +--+--+ Router B +----+
+----------+ +----------+ | +----------+ | +----------+ |
| | |
+---+--+ +--+---+ +----+----+
| DFZ | | Host | | Control |
| Host | +------+ | Device |
+------+ +---------+
<---------------------- Network ---------------------->
> Is "Router B" the SBR?
I don't think so.
If you re-read postings a little earlier in this thread, this was the
second time I posted this diagram, and I asked you the very same
question the first time I posted it.
This is a semantic issue we have to clarify. Please refer to the
exchange that I had with Mark Smith recently. It all depends if you
define the site as being a geographical location, the span of the IGP of
the organization, or whatever. IMHO, the site would be more or less
what I call "network" in the diagram above. (I will skip for the moment
the discussion about Router A or half of it being part of the site or
not).
On the other hand, one's reading could also be that the part that is on
the right of Router B, with site-local addresses, is one site, and the
left side is another site with global addresses. In this case, Router B
would indeed be the SBR.
The way I read the various documents out there is that there is nothing
that says that a site can not have both global and site-local addresses.
IMHO, the SBR here should be either the outside firewall or router A.
I support the idea that a _subnet_ should not have both site-local and
global addresses, not a site. Please also read what I posted earlier
concerning deprecation.
> In this situation, why/how would "Router B" ever route any
> packets? The control device(s) will only have site-local
> addresses, so they can't send packets that will be routed
> by "Router B", nor can any systems to left of Router B
> (outside the site?) send packets to the control devices...
Here are the traffic requirements:
- The Internet can have some restricted access (http only) to the DFZ,
no more.
- The DFZ has extremely limited access to the hosts behind the inside
firewall and not at all to the control devices subnet.
- The hosts between Router B and the inside firewall can access the DFZ,
the Internet, and the control devices (generally speaking, as further
access-lists are likely to restrict this on a per-host basis).
- The control devices can talk to the subnet between Router B and the
inside firewall, no more. (same here, some access-lists will limit
this).
> What am I missing?
Nothing if Router B is the SBR, you need it to route between two sites,
which is in contradiction of what site-locals do.
However, if Router B is not the SBR and the site extends to what is
labeled "network" on the diagram, I don't see why Router B would not
route packets, because yes these packets would be routed between public
and site-local, but would stay within the site.
There have been several posts that suggest that the wording "site-local"
is terrible, which is also my opinion. There also have been posts that
suggest that a "site" is more or less the same size as the
organization's IGP or the organization's administrative boundary, which
is a little blurry but is one of the possible definitions.
Michel.
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
