BAUDOT Alain FTRD/DMI/CAE wrote: <SNIP> > > BAUDOT Alain FTRD/DMI/CAE wrote: > > > I actually don't understand why renumbering would be > > > necessary while movingfrom disconnect to connect state. > > > Do you make the assumption that only a single address must be used ? > > > > Because fec0:: (Site-local) would be used by many sites and > > is not routable? or do you mean that the site actually runs > > with a /48 from it's upstream, disconnects temporarily and > > then reconnects while retaining the same space? > > I mean site local has a local scope, so why renumering to global scope > and not just leave as it is, and then having global, site-local and > link-local addresses ? This actually refers to the moderate model. > Unless using a single address for everything is for some reasons > preferable.
But how is a application going to know which prefix to chose? Is it going to do this based on the destination prefix? Is this going to happen in the application or by the stack? Onlink is easy fe80::/10 and you need to specify scope to make it work anyways. But how about sitelocal in this case? > > > I think one may need/want to use both site-local addresses > > (for local > > > traffic exactly the same way than during disconnect state) > > and global > > > addresses (for external connections) together with address > > selection. > > > In that case there is no need for NAT boxes, although that > > maybe used > > > anyway. Then, renumbering will happen only when changing of ISP. > > > > How is your application going to differentiate between > > site-local... oh wait, the application is going to need > > to differentiate to some address space in some cases but > > not all and clearly totally undefined. And you don't want > > to go even near NAT. Otherwise you will have to fix up > > all those protocols which carry IP addresses inside them. > > One of the major contenders: H323. > > The application will select local scope for local destination (e.g. > Intranet) and global scope for destination having global addresses. > Indeed H.323 applications most propably will have a global scope, > and so, must use global addresses. On most routing platforms it's possible to set a loopback IP. Thus specifying that per default that IP should be used as an 'outgoing' address. Are you suggesting to have 2 of these? One for site and one for global scope? Thus if a destination prefix matches sitelocal scope that it uses the sitelocal IP? > > If you imply NAT I think one can better stay at IPv4 where > > you don't have end-to-end communications either. Which > > was the reason otherwise that there are 128bits in the addresses? > > The idea is to avoid any use of NAT (that I definitly do NOT like), > while using the capabilty of multiple adresses per intreface, > IPv6 offers. One frequent benefit expected from private > addressing (I agree it is more or less true) is related to > use of non routing space, that is supposed to provide some > security means. Some evil BOFH's and probably some others before them invented nullroutes for that purpose :) And ofcourse firewalling. I don't think anybody should ever relate Site Local to secure. If some $company gets the idea that Site Locals are 'secure' then all of a sudden their boxes will show with 'Uses site local thus is secure' which is, like you say yourself not true ofcourse. > Since IPv4 enable to use only one address per interface, > NAT becommes necessary for external communication. Even a NT4 box sports multiple IP's per interface. Linux kernels sport so called aliases and most if not all other OS's will have similar features (Keeping Win9x out of the equation). > This limitation does not exist with IPv6, and just want > benefit from it, that's all. There is a problem with multiple addresses in the 'which outgoing address to choose' case. Especially when a good ISP refuses to route any packets with a source which is not on that interface (RPF). > One may imagine anenterprise network, for exemple, having > nodes of local scope only (e.g. Intranetserver) and nodes > needing both local and global local on link or local in site? eg: www.intranet.example.com 2001:db8:222::80 (2001:db8:222::/48 is 'private') www.internet.example.com 2001:db8:444::80 (2001:db8:444::/48 is 'global') If a host only has one address it will simply use that. If a host has multiple ones it will match the destination address and use that as an outgoing address. I even think that this is currently already the case with most stacks. Only thing to 'worry' about is when you have multiple addresses like above. > > > On an other hand, site-local provides a global non-routable address > > > space, that may be very usefull for adressing nodes (e.g. an ISP > > back-bone) that definitly do not need to be address from the outside. > > > > If you are an ISP you have a TLA with loads of /64's. > > Use those and apply some firewalling & non-routing to > > create *globally unique* non-routable address space. > > So if you merge/connect on day you won't have to renumber. > > > Sure, it is possible this way. But a globally non-routing space > preventing any undesirable packet coming from the whole Internet, > sounds much better. If one really really wants a seperate block which should never be seen anywhere on the public internet then at least make it possible to uniquely register this space in some way. This will avoid many of the problems which will arise when two 'private' networks merge as they are globally unique. If people can't be educated to maintain&update their software/firewalls etc there is little use IMHO. Just take a look at all the complaints about 69/8... And not even talking about that 3ffe:1f00::/24 ghost route that wandered in the IPv6 routing tables without anybody complaing about it, nor responding to enquiries. But the invisible forces that be made sure that it vanished after exactly a month. Greets, Jeroen -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
