Bob Hinden wrote: > 3) People who want to use site-local addresses should work on > completing the "IPv6 Scoped Address Architecture" document (and other > docs if needed). I think a good focus for this would be to focus on > the simplest cases. Topics to cover need to include site border > routers, adding site-local addresses in the DNS, routing protocols, > the use of firewalls to enforce site boundaries, and guidelines on how > applications might want to select between global and site-local > addresses. The people in the other camp can review this work and make > sure the technical content is accurate.
Here is my summary of how site local prefixes might be used, written from a high level perspective. Constructive criticism and additional use cases welcome. Purpose: The site local prefix is designed to allow numbering of leaf sites independent from the global internet. Three particular uses are envisaged: - Experimental networks without connectivity to the global internet. - Unconnected leaf networks - Networks with intermittent connectivity (eg dial-up networks) If a network has a sufficiently persistent globally assigned prefix, this should be used instead of site local prefixes. Site locals should only be used if the network has no globally assigned prefix or if the global prefix is unreliable (dial-up with dynamically assigned prefix, roving hotspot device). Note that site local prefixes have no requirement for global administration or registration, but are likewise not guaranteed unique, nor expected to be routeable outside the site. Most of the complications with site local prefixes occur when a leaf network attempts to support both site local and global addresses. Routing: Within a "site", site-local addresses are propagated as any other unicast prefix. The boundaries of a site are marked by site border routers, which do not forward site local traffic from interfaces within a given site to other interfaces. Routers that are not intended to be part of a site should drop any site-local traffic. Scope: Site-local addresses are only valid within their site (as defined by border routers). Site local addresses that leak outside this scope may or may not be meaningful, and probably won't do what was expected or desired. Routers and hosts are only expected to support one site local scope. Further subdivision of a site local address space should be done using the site local aggregate portion of the SLA address. Optional: can also subdivide based on bits 17-48. Scope and Address selection: Address selection for hosts is a difficult issue. Destinations with only a global address (and hence probably outside the site) should be addressed using that address, and the source address should also be global. Traffic destined for outside the site should fail if a site-local source address is used. Destinations with both global and site local addresses (internal hosts) can be accessed using either. Assuming that a site local exists because the global address is not persistent, internal only applications should favour site local addresses. Applications that may include external hosts need to use global addresses. Note: This is IMO the real sticking point of site locals. Globally unique non-routeable addresses have exactly the same problem. Filtering globally unique routeable addresses is worse, since the reduced scope is hidden from the application. Merging: If two sites using site locals merge, renumbering may be required (since the addresses are not globally unique). IPv6 networks should be designed to support renumbering, and various mechanisms exist to do this. Security: Site local addresses provide no inherent security benefits, except that hosts "know" that site local traffic shouldn't be router outside the site. A variety of tunnelling mechanisms can break scoping, and thus this security. Naming: I have some ideas, but for now see: draft-williams-dnsext-private-namespace-01.txt for a site-scoped naming proposal. This can easily be integrated with scoped addressing, where queries to a site-local domain (hosted on a site-local nameserver) provide both local and global addresses, while queries to a global domain provide only global addresses. -- Andrew White [EMAIL PROTECTED] -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
