First of all, what are we talking about here? I see two needs:
a) the need for stable addresses b) the need for private addresses
Let's first discuss a). The draft says that unique local addresses (ULAs) must not show up the global/public DNS so two-faced DNS must be used for these addresses. But how is a DNS server supposed to know whether the other end can reach the ULAs in question? Consider the situation where two organizations with their own ULA space merge. Hosts continue to have ULAs as before, but now there is a second range of ULA space that is reachable. But how does the DNS for organization A know that the resolving DNS for organization B should know the ULAs, as DNS B arrives at DNS A through the usual root, TLD and so on route, where only globally routable addresses are used.
I see only two solutions: huge amounts of manual configuration, or having the ULAs in the DNS, but not using them unless you have a route for them. This of course requires that all reachable ULA ranges are advertised to all hosts using an IGP.
The there is b). Obviously b) assumes a). However, a) certainly DOES NOT imply b). I'm afraid many people will prove to be incapable of making the distinction and end up creating a big old mess for themselves. It also occurs to me that using the routing system as access control isn't the best idea ever. Maybe it makes sense to set aside a range of private port numbers rather than a range of private addresses? (Simply filtering a single range of private ports in the network would certainly have made my life easier with all those worms.)
Finally, there is mention of using ULAs for VPNs. That makes no sense. If you use ULAs for a VPN, this means you can't reach the rest of the world over your VPN so you must do so using the unprotected connectivity that underlies the VPN. This is a huge security hole. VPNs should use regular routable address space.
BTW, we can probably repeat the entire discussion as soon as there is a locator/identifier separation proposal on the table as it is very likely that the identifiers for that will be drawn from a special range of address space.
-------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
