> First, site-locals offer better security than a single firewall, because > typically there will be multiple routers on the path between an attacker > and a customer site, all filtering site-locals. Second, I agree that > strong security is great and we should work towards it. But "defense in > depth" argues for having multiple security mechanisms, so even with > strong security I think site-locals and firewalls have a place.
This assumes that ISPs will use site-locals. So far I haven't seen any claims of benefits for ISPs to configure site boundaries and use site-local addresses in their network. If the ISPs don't use it the only boundaries would be at the attacker (which might be able to control its site boundary) and at the attacked site, thus no additional depth. Any ISPs care to comment on this? Erik -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
