Pekka Savola wrote:
On Thu, 7 Nov 2002, Keith Moore wrote:
What I meant to say that to implement site-locals properly in a router,
the vendor should not be OK to say "we support access-lists, you can use
them to configure site-local borders" or that "we have nice firewall
products, wanna buy one?".
I'm not sure about that. Having routers try to automagically determine
site boundaries sounds nice, unless there are cases where it will fail.
If the latter is true, then requiring explicit filter configuration seems
like the way to go.
.. which brings me back to my original point that the spec text should be
written in such a fashion that people don't expect the site-local filters
to "just work", but that people need to do it themselves.
I'm not sure if folks really understand the security impleications (or
lack thereof) when dealing with site-locals, and the spec doesn't make it
any better.
The original intent in the scoped addr arch was that the site-local
zone id would be indicate which interfaces are within a site. The
filtering between sites is handled by the forwarding code.
Vendors that support these zone ids will have default values for the
zone ids. If the vendors don't support the zone ids, the box will
be unable to act as a SBR unless the user builds the filters.
Brian
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
