> Let's take two steps back, stop discussing possible solutions for a > moment and discuss the problem statement. I'd like it to be possible for > an enterprise to: > > - Have resources (i.e nodes or services) that are accessible > only to sub-groups within the enterprise (i.e. > departments). Example: a printer that only marketing > is allowed to use. > - Have resources that are available to the whole enterprise, > but that are not accessible outside the enterprise. > Example: An HR benefits website. > - Have resources that are available on an extranet (between a > selected group of enterprises) that are not accessible > to all other enterprises. Example: A supplier/customer > network. > - Have resources that are globally available, and be able to > send global traffic. Example: Google. > > All of these things can be achieved without site-locals, using > provider-allocated global addresses and appropriate configurations of > firewalls, ACLs, route filtering and split DNS.
I don't see why the above requires a split DNS, since the addresses are global. A split DNS is only needed if there is need to return different information for the same name (e.g. an internal vs. external www.example.com) or a need to hide some information from one side (e.g. not "expose" the IP addresses of all the internal nodes to the outside). > However, some people have argued that network administrators will > choose to use site-locals at one of these boundaries (probably the > enterprise-wide boundary) in order to achieve ISP independence. In > other words, they want to make sure that they don't have to renumber > their internal firewalls, ACLs, etc. if they change ISPs and/or > their ISP renumbers. > > This is a real issue, and a real benefit of site-local addressing. I don't think it is. We envision that a significant fraction of future nodes will be mobile. Assuming that they use mobile-ip technology, the current suport for site-local means that unless it is known that they will not move outside their home site, they need to always use global addresses - whether they are in the home site or not. (It isn't impossible to fix this - an old draft-ietf-ipngwg-site-prefixes draft had worked out cases for the fix - but it gets very very complex.) Thus I think site-locals provide a rather limited support for isolating the nodes inside the site from site renumbering. > Are there other problems that NATs solve for the home environment > that we need to find an architecturally sound way to solve in IPv6? > I don't really know. People seem to want PI addresses because it avoids applications having to deal with addresses being renumbered. We also need scalable site multihoming. If we actually get a workable solution to separating identifiers and locators (and IMHO the hardest problem lie in the system which manages the mapping between the identifiers and the locators) Then I observe that this should be able to remove the need for GUPI (just use the identifiers locally) and provide something which looks like PI space to the applications. Granted that this is a hard problem, but we seem to be spending emails on multiple subsets of this problem (in different WGs) thus I think it would be worth-while to concentrate thinking on the identifier/locator separation problem. Erik -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
