Margaret Wasserman wrote: > ... > Access control is also useful, and a simple form of access > control will be needed in IPv6. However, site-local > addresses are a poor form of access control for two reasons: > > - Site-local boundaries need to be at routing area > or AS boundaries (not convenient).
This is bogus nonsense. > - Site-local areas cannot be nested. > > So, you can't have a site-local access control boundary for > your corporate site, AND a site-local access control boundary > that only allows the marketing department to use the fancy printer. Within the site, there is no difference between the filtering characteristics of SL & any other prefix. If your argument is that a site can't have multiple subnets with the same prefix, well that is self evident. > > Both Steve Bellovin and Brian Zill have proposed superior > access control mechanisms based on information being passed > in router advertisements, and I think they plan to combine > their proposals into a single, maximally beneficial, form. They are not superior access control mechanisms. They result in exactly the same architectural state where some addresses on a subnet are private while others are global. These mechanisms could just as easily announce an FEC0 prefix, and the resulting internal filtering would be identical. What they loose is the ability to know that the peer networks have implemented the same filter as a backup. > > The intermittently-connected site problem is often raised as > a reason for site-locals. This is an interesting problem, > and it would be very good to solve this problem, but > site-locals do not provide a complete solution. You make statements like this without any explaination or justification. Stable addresses that persist across multiple connect/disconnect events to different providers are in fact one problem that the current SL approach completely solves. > And, recent > models for site-local usages (including "moderate" and > "limited") don't provide a solution for this case at all, as > they would reverse the preference for site-local addresses > over global addresses in the address selection rules. That is why they were broken models to begin with. > > So, while I think that the IETF needs to figure out a way to > address this type of network, site-locals may not be the best > way to do it, as they come with substantial costs for all > nodes, and don't fully solve this problem. The IETF needs to address all the requirements BEFORE removing the tool that currently solves them. Doing otherwise is an irresponsible act. Tony -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
