On 20/04/2017 10:47, Ted Lemon wrote:
> On Apr 19, 2017, at 5:15 PM, james woodyatt <[email protected]> wrote:
>>>> Unique Local Addresses (ULA) [RFC4193] are intended for scenarios where IP
>>>> addresses are not publicly reachable, despite their global address scope.
>>>> They MUST NOT appear in the default-free routing domain of the public
>>>> Internet, and gateways at the boundaries of private routing domains SHOULD
>>>> NOT forward packets from or to ULA addresses where multilateral transit
>>>> agreements do not explicitly recognize them.
>
> Changing the first "globally" to "publicly" isn't necessary. Actually, I
> think this whole change just makes things less clear. Publicly and globally
> mean the same thing. ULAs are never globally reachable. If you have more
> than one site, and route ULAs between them, the ULAs have to be routed over
> your private links, not over the public internet. I get that in principle
> it may be possible to route your ULAs over a link that also carries global
> traffic and that is not "your link," but it would be better to clarify this
> in an additional paragraph; by adding the text where you have, you are going
> to confuse the heck out of any reader who doesn't know what a "multilateral
> link" is.
Also, "globally reachable" is a term of art in draft-bchv-rfc6890bis and in the
new form of the IANA registry that it defines. Once that's final, there is work
to do elsewhere (for example, the de facto meaning of "global" in the Python
ipaddress module is plain wrong). So this is important terminology. I have no
problem mentioning transit agreements, but I think James' SHOULD NOT should
also be a MUST NOT.
My routing friends tell me that there's no such thing as a true DFZ any more,
too.
Brian
_______________________________________________
OPSEC mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsec
