On Thu, 27 May 2004, Brian E Carpenter wrote: > > 12.0 Security Considerations > > > > Local IPv6 addresses do not provide any inherent security to the > > nodes that use them. They may be used with filters at site > > boundaries to keep Local IPv6 traffic inside of the site, but this is > > no more or less secure than filtering any other type of global IPv6 > > unicast addresses. > > This is true, but it undersells the proposal, given the current state of > enterprise security models. Can we add: > > From a security viewpoint, such filtering is exactly equivalent to the > filtering of ambiguous IPv4 addresses [RFC1918] at a site boundary. Hosts > whose local addresses are filtered are invisible from outside the site. If > such a host needs, and is authorized to have, external access, it must do > so using an additional, globally routeable, IPv6 address.
You have implicit assumptions about what you mean with 'external access'. Did you mean something like, "access by external [non-unique-local-addressed] users"? Because you will be able to access external hosts from the unique-local hosts through proxies etc. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings -------------------------------------------------------------------- IETF IPv6 working group mailing list [EMAIL PROTECTED] Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
