Re: Enforcing unreachability of site local addresses

Sun, 15 Dec 2002 14:53:48 -0800

that wouldn't conflict with anyone else's and could be filtered by ISPs,
etc. (in case anyone ever makes a mistake and connects an "isolated"
network to the Internet). This is actually what site-local addresses
(and RFC 1918 addresses) were originally invented for...
Yes, but that didn't really stop anyone....
I know. And, it will probably be very tempting for people to use these
addresses behind IPv6 NAT boxes, like in IPv4.

In my opinion, the only way that we will stop people from using NAT
(with or without IPv6 site-local addresses) will be to provider better
(architecturally cleaner, more convenient, more functional) mechanisms
for people to get the same benefits that they get from NATs today.
Although NATs may have started as a response to address space shortage,
today their use is driven by the needs for provider-independent addressing
and convenient access control. So, we need to work on better ways to
provide those things in IPv6.
I think that there are multiple ways to try and move users to another direction. One is that when there are enough interesting applications that the NAT users can't use because of NAT, they will start looking around. So I think we need to stop creating special cases so applications and functions will work through NAT boxes. This also goes for the transition mechanisms to IPv6.

Second, we need to document the negative sides of NAT on applications, as well as ways to achieve the same benefits you mentioned from NAT in other ways.

Anyway, although I don't like what you suggest above - I think it is the only think that we can get some sort of consensus for and move on. But I think that we need to learn from the RFC1918 mistake and make sure we include a enforcement method.
What sort of enforcement method would you suggest?
Well, a first start is to have routers to not route these by default, or preferably not at all. Including them as a MUST filter prefix might also be a good idea. In principal any method we can come up with that

a) Don't distribute reachability information
b) Enforce packet filtering as default

is a step in the right direction.


- kurtis -

--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------

Reply via email to