You can make it simpler yet: Option 1: Use only one local address scope. Control device has only a scoped address. The host has one scoped address and one global address. The DFZ host has only a global address.
Option 2: All have global addresses. Use firewall rules to filter. Regards, -- Nir Arad ----- Original Message ----- From: "Nir Arad" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, August 12, 2003 9:42 AM Subject: Re: Geoff Huston's draft and the intended use of the hinden/templin address space > Excellent scenario, and a simple solution: > > The administrator needs to define 2 address scopes. > > The control device has an address in scope 1. > The host has addresses in both scopes 1 and 2, as well as a global unicast address. > The DFZ host has an address of scope 2, and a global unicast address. > > All requirements met. > > Regards, > > -- Nir Arad > > ----- Original Message ----- > From: "Michel Py" <[EMAIL PROTECTED]> > To: "Nir Arad" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > Sent: Monday, August 11, 2003 6:29 PM > Subject: RE: Geoff Huston's draft and the intended use of the hinden/templin address > space > > > > >>> Nir Arad wrote: > > >>> I would like to point out again, that as per my suggestion, nodes > > >>> MUST NOT send, receive or forward traffic in which the source and > > >>> destination addresses are not of the same scope. > > > > >> Michel Py wrote: > > >> That would some problems but appears to be unworkable to me. It's > > >> not flexible enough. > > > > > Could you please give a scenario that breaks it? > > > > > > <-------------------- Global Addresses ----------------><- Local addr -> > > +-----+ > > | ISP | : > > +--+--+ : > > ! : > > +--+---------+ +----------+ +----------+ +----------+ > > | Router A : +--|< Firewall+--+--|< Firewall+--+--+ Router B +----+ > > +------------+ +----------+ | +----------+ | +----------+ | > > : | | | > > : +---+--+ +--+---+ +----+----+ > > : | DFZ | | Host | | Control | > > : | Host | +------+ | Device | > > : +------+ +---------+ > > ---Site -->:<-------------------------- Site --------------------------> > > : > > > > - Router A is the SBR. > > - DFZ hosts need to be able to talk to hosts between the internal > > firewall and router B, but not to the control devices. > > - DFZ hosts need to be able to talk to the outside. > > - Hosts between the internal firewall and router B need to be able to > > talk to everybody. > > - Control devices are accessible only from hosts between the internal > > firewall and router B. > > > > Michel. > > > > > > -------------------------------------------------------------------- > > IETF IPng Working Group Mailing List > > IPng Home Page: http://playground.sun.com/ipng > > FTP archive: ftp://playground.sun.com/pub/ipng > > Direct all administrative requests to [EMAIL PROTECTED] > > -------------------------------------------------------------------- > > -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
