and this is my biggest fear for the Internet with IPv6. These site-locals could undo all we did with IPv6 to restore end-to-end architecture for the Internet.
Trying to limit them with words or BCPs whatever will NOT prevent the potential tragedy to our beloved Internet as Bill points out below. /jim > -----Original Message----- > From: Bill Sommerfeld [mailto:[EMAIL PROTECTED]] > Sent: Friday, June 07, 2002 7:41 PM > To: Michel Py > Cc: Bob Hinden; Steven M. Bellovin; [EMAIL PROTECTED] > Subject: Re: Fwd: IPv6 Scoped Addresses and Routing Protocols > > > > The outbound-only firewall is a false idea of security as well since > > 2nd generation peer-to-peer software such as Morpheus can easily > > bypass firewalls and allow ingress connections to RFC1918 hosts. > > > > On the other hand, considering that a typical IPv6 will > _not_ feature > > IPv6 NAT, an IPv6 host that has _only_ a site-local address > would have > > an extra layer of protection against external attacks as it > would not be > > reachable at all from the outside. > > I see this as a distinction without a difference -- if the site has > some systems running a global p2p network's software with external > connectivity, and that p2p network is cracked, the site will be > vulnerable to attacks relayed through the p2p network. > > if one system within the site has external connectivity and is part of > the compromised p2p network, any system at the site will now be open > to attacks from the compromised system. > > If there is widespread deployment of systems with site-local only > addresses, this will in turn drive the creation of ipv6 NAT > specifically to give them external connectivity.. > > - Bill > -------------------------------------------------------------------- > IETF IPng Working Group Mailing List > IPng Home Page: http://playground.sun.com/ipng > FTP archive: ftp://playground.sun.com/pub/ipng > Direct all administrative requests to [EMAIL PROTECTED] > -------------------------------------------------------------------- > -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------