It is possible to write sufficient restrictions and avoid both the drift towards announcing /48 in the DMZ and using the unique local addresses in a NATv6 configuration. The requirement is that the site local replacement be "special". We can for example request that backbone routers ignore announces that fall in the special prefix unless a /48 has been explicitly. As a result, even if someone convinces their local ISP, they will not be able to get connectivity to the whole Internet, and the addresses will not be usable as "globally routed PI." In fact, we should do that.
I agree, and it is already in the draft. The current draft includes text on this in two places.
In section 4.0 "Routing":
Any routing protocol that is used between sites is required to filter out any incoming or outgoing Local IPv6 unicast routes. The exception to this is if specific /48 IPv6 local unicast routes have been configured to allow for inter-site communication.
If BGP is being used at the site border with an ISP, by default filters MUST be installed in the BGP configuration to keep any Local IPv6 address prefixes from being advertised outside of the site or for these prefixes to be learned from another site. The exception to this is if there are specific /48 routes created for one or more Local IPv6 prefixes.
and in section 6.0 "Site Border Router and Firewall Filtering":
While no serious harm will be done if packets with these addresses are sent outside of a site via a default route, it is recommended that they be filtered to keep any packets with Local IPv6 destination addresses from leaking outside of the site and to keep any site prefixes from being advertised outside of their site.
Site border routers SHOULD install a black hole route for the Local IPv6 prefix FC00::/7. This will insure that packets with Local IPv6 destination addresses will not be forwarded outside of the site via a default route.
Site border routers and firewalls SHOULD NOT forward any packets with Local IPv6 source or destination addresses outside of the site unless they have been explicitly configured with routing information about other Local IPv6 prefixes. The default behavior of these devices SHOULD be to filter them.
Is this sufficient? Would it better to also include an "operational considerations" or similar section? More text on why this is important?
Bob
-------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
