I don't see any content in this message.
I'll deal with this elsewhere.
Like it or not, it is accepted
security practice to limit access by filtering on bits in the IP header, and
restricting what prefixes are announced in routing protocols.
But that filtering is done EXPLICITLY based on a PARTICULAR device in a PARTICULAR environment. Neither the device nor the firewall can make that decision, and that is what you are claiming. You are OVERLOADING security operations on the IP address, a construct that is poorly suited for the task.
In any case, I was not even claiming that any packet filtering was happening in that scenario. The presumption was that the prefix for local use was not being routed outside the home, while the global one was. In that case, packet filtering is not required as the origin can't get packets to the destination.
And that is where you are relying on the routing protocol for security, and that too is a bad architectural assumption. It's bad for all the reasons I wrote in the message you claim had "no content".
Restricted routing is just one component in a comprehensive security plan.
Since it doesn't really do the job, and since we are talking about a home system as a use scenario, less is more. Provide a single mechanism that works correctly such that the individual can manipulate it in one place if he/she has to.
I don't claim that filtering shouldn't happen in many or most cases, and it might even happen in THIS case. But let's not architect for such a case.
Eliot
-------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
