Tony Hain [mailto:[EMAIL PROTECTED] wrote: > Jeroen Massar wrote: > > Brian McGehee [mailto:[EMAIL PROTECTED] wrote: > > > > > *Notes below > > > > > > * I agree "NAT != SL"! Except in the case that hosts > need "global" > > > connectivity and they ONLY have a SL address will require > > > NAT. Or they should have a second IPv6 globally unique unicast > > address > > > (which isn't that hard to have multiple addresses???) > > > > Use a firewall to block incoming packets. > > Brian is right, having a second prefix is what they should do.
Could do, it's another solution to their problem. > > > * I can envision an enterprise environment that is > > comfortable using > > > FEC0::/10 for internal communications but a host has a > > globally unique > > > address also for external communications (on hosts that have this > > > neccessity) This could be comfortable to a network admin/ops/noc. > > > > Then don't route a certain prefix. > > Using filtering on a single global prefix does not work when > nodes that > need external access are on the same segment with those that shouldn't > have it. Prefix filtering is the answer, but the prefix to filter is > FEC0::/10. Any rationale why it should be fec0::/10 and not just a prefix picked by the administrator from the /48 they already have? Firewalling is firewalling, even if one filters fec0::/10 or 2001:db8::/32 it doesn't change a bit in implementation or use. Greets, Jeroen -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
