> > I miss something here. How do you make sure that nodes > > configure just site local and not global address on seeing an > > RA ? Are you keeping them in separate networks i.e not mixing > > nodes that require globals and site locals ? If so, then I > > can do the same with globals with appropriate partitioning > > i.e subnet 1 - 100, is for private use only. Then the check > > is very simple. Could you clarify ? > > Same network, hearing RA's, just local policy on the restricted box to > only configure based on SL prefixes.
So, instead of filtering global addresses at the firewall, you go to each individual box in the network which you want to restricted access to/from and configure it to only use restricted (i.e., site-local) addresses? And, as a bonus, you get to deal with all the complexity and problems which are introduced when using site-locals in a non-isolated environment. How, exactly, does this improve anything? Roy -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
