> > Perhaps more importantly, I don't buy the argument that *any* set of > > addresses should be considered trustworthy, by default or otherwise. > > Addresses are simply not sufficient as an authentication mechanism. > > This is not a practice that IETF standards should endorse or encourage. > > I certainly agree with your first point: considering a block of addresses > trustworthy is silly. What site locals give you is a component of "defense in > depth": if an application listen only to a local scope addresses, it will not > receive any packet that come directly from the Internet. Like it or not, that > is a sizeable risk reduction, even if it is indeed possible to receive packets > from a compromised local host, or from a clandestine attachment to the local > network.
you have not demonstrated that this is a sizable risk reduction. another problem with this argument is that it doesn't consider the increase in risk that comes with using site locals, due to the impaired ability to detect external traffic. essentially if you are trusting site locals then you are trusting the filters on the border router with no way to verify whether they are working. > But clearly, that is not sufficient: applications shall indeed check > the credentials of their remote users, not just the addresses. applications need to check the credentials of *all* users. trusting any address is a security hole. it prevents the very "defense in depth" you are claiming is an advantage of site locals. Keith -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
