Hi Bob, Brian,
A few other thoughts, notes or minor nits regarding this draft.
3.1 Format
~~~~~~~~~~
This statement
"The Local IPv6 addresses are created using a centrally allocated
global ID."
seems to be contradicting the ability to locally generate the
global ID, as per section 3.2.2
4.0 Routing
~~~~~~~~~~~
"Any router that is used between sites must be configured to
filter out any incoming or outgoing Local IPv6 unicast routes.
The exception to this is if specific /48 IPv6 local unicast
routes have been configured to allow for inter-site
communication."
I'd like to suggest changing the above to
"Any router that is used between sites must be configured to
filter out any incoming or outgoing Local IPv6 unicast routes.
The exception to this is if specific /48 or longer IPv6 local
unicast routes have been configured to allow for inter-site
communication." ("or longer" added)
This would allow a single /64 to be pushed into the other Local
IPv6 address domain, providing a basic form of firewalling
between the Local IPv6 address domains via hiding of
destinations. I think this would be simpler than only being able
to push a /48, and then having to implement packet filtering /
firewalling to filter out all traffic towards non-permitted /64s.
Also, the same change for the BGP paragraph -
"If BGP is being used at the site border with an ISP, the default
BGP configuration must be set to to keep any Local IPv6 address
prefixes from being advertised outside of the site or for these
prefixes to be learned from another site. The exception to
this is if there are specific /48 or longer routes created for
one or more Local IPv6 prefixes."
6.0 Site Border Router and Firewall Packet Filtering
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"or longer" as above -
" Site border routers and firewalls should not forward any
packets with Local IPv6 source or destination addresses outside
of the site unless they have been explicitly configured with
routing information about specific /48 or longer Local IPv6
prefixes. The default behavior of these devices should be to
install a"reject" route for these prefixes. Site border routers
should respond with the appropriate ICMPv6 Destination
Unreachable message to inform the source that the packet was
not forwarded."
9.0 Use of Local IPv6 Addresses for Local Communications
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This statement
"- Nodes that are to only be reachable inside of a site: The
local DNS should be configured to only include the Local
IPv6 addresses of these nodes. Nodes with only Local IPv6
addresses must not be installed in the global DNS."
seems contrary to the following, in section 7.0 "DNS Issues"
"If Local IPv6 address are configured in the global DNS, no harm
is done because they are unique and will not create any
confusion. They may not be reachable, but this is a property
that is common to all types of global IPv6 unicast addresses."
The first statement also seems to imply a mandatory split DNS
setup, which I wouldn't think would be a requirement for a mixed
Global/ Local, and Local only IPv6 address environment.
"- Nodes that are to be reachable from inside of the site and
from outside of the site: The DNS should be configured to
include the global addresses of these nodes. The local
DNS may be configured to also include the Local IPv6
addresses of these nodes."
I think this statement also assumes a split DNS setup - the
"local" qualifier in the second sentence.
That's it at the moment I think.
Hope this helps,
Mark.
--------------------------------------------------------------------
IETF IPv6 working group mailing list
[EMAIL PROTECTED]
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
