> Let's take two steps back, stop discussing possible solutions for a > moment and discuss the problem statement. I'd like it to be possible for > an enterprise to: > > - Have resources (i.e nodes or services) that are accessible > only to sub-groups within the enterprise (i.e. > departments). Example: a printer that only marketing > is allowed to use. > - Have resources that are available to the whole enterprise, > but that are not accessible outside the enterprise. > Example: An HR benefits website. > - Have resources that are available on an extranet (between a > selected group of enterprises) that are not accessible > to all other enterprises. Example: A supplier/customer > network. > - Have resources that are globally available, and be able to > send global traffic. Example: Google. > > All of these things can be achieved without site-locals, using > provider-allocated global addresses and appropriate configurations of > firewalls, ACLs, route filtering and split DNS.
In theory people would be smart and would never assign any security property to an address. They would base access control on actual authentication protocols, authorizing an activity if they have enough trust in the user initiating the activity and the remote computer through which the activity is performed. I wish everybody understood that. In practice, many system administrators do assign some properties to addresses. In a large network, assigning properties to addresses translates in a large number of access control lists in which the "only marketing" or "HR benefits" restriction is translated into a set of address prefixes. Experience proves that updating these prefixes during network renumbering is a major pain. Having a stable set of prefixes that you can use internally is thus very helpful. -- Christian Huitema -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------