> Access control is one aspect of what SL provides. SL provides no benefits for access control that is not provided by the ability to filter globals, and you need to do this anyway.
> and enterprise > managers can filter without having to go into detail about which > specific devices on a subnet are allowed in or not. SLs don't help you filter on a subnet basis - because they don't give you any granularity beyond a 'site'. If you want to filter on a subnet basis you are back to explicit prefix matching. *Of course* it can be a pain to manage filters for specific devices. But this is every bit as much a pain with SLs as it is with globals. SLs are orthogonal to this issue. (and no, it's not acceptable to hand out globals and SLs to some devices on a network and only SLs to others - both because this breaks apps, and because it has security holes.) > What some on the list are having a hard time with is the concept that it > can be challenging to explicitly list every device that is not allowed > access from the public Internet when networks get to be large. What some on this list are having a hard time figuring out is that SLs don't help you with this problem. > One might argue that for router requirements, there should be a MUST NOT > propegate the SL prefix into BGP. At a very minimum this should cause an > 'are you sure' message. One might argue that for application requirements, there should be a MUST NOT mix SLs and globals on the same network. At the very minimum the application should display a warning message that the network is misconfigured. Keith -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
