On Thu, 7 Nov 2002, Keith Moore wrote: > > What I meant to say that to implement site-locals properly in a router, > > the vendor should not be OK to say "we support access-lists, you can use > > them to configure site-local borders" or that "we have nice firewall > > products, wanna buy one?". > > I'm not sure about that. Having routers try to automagically determine > site boundaries sounds nice, unless there are cases where it will fail. > If the latter is true, then requiring explicit filter configuration seems > like the way to go.
.. which brings me back to my original point that the spec text should be written in such a fashion that people don't expect the site-local filters to "just work", but that people need to do it themselves. I'm not sure if folks really understand the security impleications (or lack thereof) when dealing with site-locals, and the spec doesn't make it any better. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
