On Thu, 7 Nov 2002, Margaret Wasserman wrote: > > > existence of IPv6 firewalls, then these firewalls can also enforce site > > > boundaries. > > > >Sure, but that is not sufficient to satisfy addr-archv3 2.5.6 last > >paragraph IMO. > > Why not? > > If a router is not on a site-boundary, it doesn't need to do anything > to enforce site boundaries. In Bob's example, the firewall would be > the site border "router", and it would enforce the boundary. > > I don't see a conflict.
Perhaps I should have been more verbose. What I meant to say that to implement site-locals properly in a router, the vendor should not be OK to say "we support access-lists, you can use them to configure site-local borders" or that "we have nice firewall products, wanna buy one?". That doesn't seem to be in the spirit of site-local addressing, and I could imagine a significant percentage of site-local users wouldn't do these steps properly, leading to a false sense of security. (Thus one factor in the argument that site-locals in with global networks are bad.) -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
