Behcet Sarikaya wrote:
Hello Pekka,
Site-local addresses would provide the same functionality and
therefore there is no need to introduce firewalls into v6.
Is there anything wrong with the above argument?
Lots. It's very similar to the argument that NAT is a security
feature, which is absolutely untrue.
Firewalls block incoming connections with global destination addresses.
The existence of site-local addresses is orthogonal to this. You still
need to allow some incoming connections to global addresses, and
block others.
(Firewalls do more than that, but this is sufficient to answer
your question.)
Brian