On Thu, 7 Aug 2003, Andrew White wrote: > > Just responding to a few points.. > > > > On Thu, 7 Aug 2003, Andrew White wrote: > > > When that 6to4 address goes away, I don't want my persistent sessions > > > to be forced to maintain a stale address. > > > > Why not? There's no problem with that, really. You can continue using > > bogus addresses as long as you want, the problems only start appearing > > when you reconnect. > > Real example: My ISP's DSL connection decides to drop the connection and > reconnect (with a new IPv4 address, and thus 6to4 prefix) every 1-3 hours. > I'd rather not subject my internal network to that if I don't have to.
Switch ISP or complain to them. I certainly wouldn't bear with that kind of behaviour. If that kind of ISP techniques are commonplace, we may need to do something. But I'm not sure if that's the case. Experiences? Note: consider how many of these techniques are used to prevent people from keeping servers at their home systems (i.e., does the ISP consider the changing address a bug or feature). Also consider how the situation would change (if any) with IPv6 provided by the ISP. Real example: at home, I use DHCP on DSL to get addresses. During 1 year, the addresses have changed _once_ (the ISP changed the prefix from which it allocated the DSL users' addresses). That's good enough for me, and I even manually glue all the IPv4 and resulting 6to4 addresses in my configuration files, filters etc. > > I've made a counter point several times, and some probably agree, but > > really think ANY solution which "promises" automatic filtering is a > > non-starter. > > > > It seems totally bogus to create an assumption that someone upstream will > > just do it and rely on that. YOU CAN'T RELY ON THAT. > > Agreed. Which is why my border router ALSO implements the same REQUIRED > filter, no? *shrug* The application does not know such a filter is implemented, hence it cannot assume security properties on specific kind of addresses. > It's whether an application can assume that global addresses are never > filtered, and the answer is that it can't. Ergo, global addresses are > also scoped addresses. There is a difference of a couple of degrees of magnitude here. Absolute yes/no are irrelevant (because there is always some filtering); it's more important to figure out the probability which results in the highest percentage of getting it right at the first try, a good percentage of doing well at the second if really needed etc. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
