I agree that in practice to reduce complexity, site-local boundaries should align with security boundaries.
To retain the "convexity" property needed for sites, the site boundaries also have to align with routing protocol area boundaries.
So, in order to make the use of site-local addressing less complex, we will need to force site boundaries, security boundaries, "two faced" DNS boundaries and routing protocol area boundaries to coincide. And, these boundaries have to be in the middle of nodes, not on links. Is this acceptable? I realized that this may be common for simple leaf networks, but would it even work in a complex network? The inter-node boundary doesn't really work for some routing protocols that have their area boundaries on links (IS-IS and BGP), so we will be forced to use unnumbered "dummy sites" to make those protocols work properly across site boundaries. Will this be compatible with the security and "two faced" DNS boundaries? How would a site-border node (which exists in multiple sites), that has no knowledge of which site a particular domain name belongs to, decide which interface to use to send a DNS request? Does it need to try more than one and somehow combine or choose between the results? If a site-border node sends a DNS request and receives a site-local address in return, how does it know in which of its attached sites the site-local adddress is valid? Some people have stated that it can use the zone ID of the interface on which the DNS response is returned, but I think that this would only work if the "two faced" DNS server is topologically located inside the site. Is that a reasonable restriction? I am personally somewhat uncomfortable with the idea of all of these boundaries being tied together like this. In particularly, I thought that the DNS hierarchy was intentionally supposed to be independent of routing topology... Margaret -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
