Bob, > Bob Hinden wrote: > It seems to me that from a reachability point of view > there isn't too much difference between using site-local > addresses and having a firewall that blocks traffic from > one set of global addresses and another.
This could be debated forever, and I don't think the discussion would be productive as the security implications of site-local addresses are dealt with at layer 9. Here's an example: - You are the security designer of a utility company. - By using a combination of beginner's luck, skill, social engineering and other things, a 15 year-old manages to get in one of the breakers and shuts down power 15 blocks down main street. Not funny enough, so the kid goes bragging about it on some IRC channel and it makes it to the local newspaper. - Suddenly your seat will become too hot for a certain part of your body. - Worse, if someone trips in the dark and breaks their back, they're going to sue the company for negligence and your management will can that body part we were talking about earlier. All of this for one reason. One. Because, in the aftermath of the outage, there is always going to be some security consultant to say to your senior management: "THIS WOULD NOT HAVE HAPPENNED IF YOU USED PRIVATE ADDRESSES". This reason alone is good enough for network managers to keep using private addresses, and they will continue doing it regardless of what half of this mailing list thinks. Michel. -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
