Hi Michel,
<-------------------- Global Addresses ----------------><-- SL addr -->
+-----+
| ISP | :
+--+--+ :
! :
+--+---------+ +----------+ +----------+ +----------+
| Router A : +--+ Firewall +--+--+ Firewall +--+--+ Router B +---+
+------------+ +----------+ | +----------+ | +----------+ |
: | | |
: +---+--+ +--+---+ +----+----+
: | DFZ | | Host | | Control |
: | Host | +------+ | Device |
: +------+ +---------+
---Site -->:<-------------------------- Site ------------------------->
:
Yes, this makes more sense...
I think that this would be a perfectly legal network configuration
under the current scoped addressing architecture rules, and it
would result in outside hosts being unable to reach the control
devices.
However, I don't see that it offers any special security benefits
over putting the control devices on a separate subnet of the global
prefix and filtering that subnet in router A and the left-most
firewall.
Either way, if someone from the outside can hack into one of your
DFZ hosts (by which I assume you mean servers that are accessible
from the outside?), he can potentially reach your control devices.
Margaret
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
