The only issue I can see arise is when a site-local address would have to communicate with foreign entities not local to itself. In such a implementation a "barrier" that logically and/or physically sepperates the two entities from one another would serve a purpose. This "barrier" can be in many forms a proxy, a nat device, and what is commonly known as a firewall. Being a security professional as well as a network professional blanket dismissal of security devices could prove to become a huge flaw if we take a stance of negating them so early on in the process. Kim Sassaman -----Original Message----- From: Behcet Sarikaya [mailto:behcet.sarikaya@alcatel.com] Sent: Thu 9/19/2002 7:29 AM To: Pekka Savola Cc: v6ops@ops.ietf.org Subject: Re: raw thoughts on v6 firewalls Hello Pekka, Site-local addresses would provide the same functionality and therefore there is no need to introduce firewalls into v6. Is there anything wrong with the above argument? Regards, Pekka Savola wrote: >Hi, > >Regarding v6ops meeting discussion.. > >I don't think v6 firewalls can be killed. They're a mechanism to ensure >some form of security policy; trusting end nodes to do the right thing is >not enough. > >But there are problems with v6 firewalling. I've been trying to get >around to writing a draft for a year or so now but never did it (further >than the baseline summary of the content): perhaps now it's a better time. > >One potentially major deployment issue is how the firewall is supposed to >handle packets where extension header contains a header it does not not >recognize and thus cannot parse e.g. UDP/TCP headers. > > > -- Behcet
<<winmail.dat>>