Roy Brabson wrote: > ... > So, instead of filtering global addresses at the firewall, > you go to each > individual box in the network which you want to restricted > access to/from > and configure it to only use restricted (i.e., site-local) > addresses? And, > as a bonus, you get to deal with all the complexity and > problems which are > introduced when using site-locals in a non-isolated > environment. How, > exactly, does this improve anything?
It aligns access policy with the device rather than a difficult to manage table at every edge of the network. This is much simpler at scale. The only complexity that SL introduces in the environment is for apps that do literal rather than name based referrals. If they are written to preclude that referral when it involves a SL prefix, the issue becomes one of the network manager deciding if the app should work (thereby assigning a global), or should be broken by the SL filtering. The arguments against SL boil down to not liking the fact that network managers will do filtering. Tony -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
