On Thu, 7 Nov 2002, Brian Haberman wrote: > Pekka Savola wrote: > > On Thu, 7 Nov 2002, Keith Moore wrote: > > > >>>What I meant to say that to implement site-locals properly in a router, > >>>the vendor should not be OK to say "we support access-lists, you can use > >>>them to configure site-local borders" or that "we have nice firewall > >>>products, wanna buy one?". > >> > >>I'm not sure about that. Having routers try to automagically determine > >>site boundaries sounds nice, unless there are cases where it will fail. > >>If the latter is true, then requiring explicit filter configuration seems > >>like the way to go. > > > > > > .. which brings me back to my original point that the spec text should be > > written in such a fashion that people don't expect the site-local filters > > to "just work", but that people need to do it themselves. > > > > I'm not sure if folks really understand the security impleications (or > > lack thereof) when dealing with site-locals, and the spec doesn't make it > > any better. > > > > The original intent in the scoped addr arch was that the site-local > zone id would be indicate which interfaces are within a site. The > filtering between sites is handled by the forwarding code. > > Vendors that support these zone ids will have default values for the > zone ids. If the vendors don't support the zone ids, the box will > be unable to act as a SBR unless the user builds the filters.
I expect many routers will be used in the border of a site and a global internet which do not implement the scoped addr arch draft/document, at least in full. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
