Tony Hain wrote:
But that aside, SL is not the issue, the issue is that apps have come to
believe that the topology is flat so they can pass around handles
constructed of topology specific information. The reality all along has
been that some addresses were not reachable outside an administrative
scope of relevance. Writing those cases off in a client/server world was
mostly possible, but in the peer-to-peer world of IPv6 that is no longer
possible.
As there are many entities that provide firewalling functionality, it is
unreasonable to assume that it would be possible for each of these to be
the address authority for either end of a connection. Thus, an
application must deal with multiple administrative domains today. In
some circumstances, administrative firewalls exist specifically to block
particular applications. And... network error messages may or may not
be appropriate to a given circumstance. It all depends on your threat
model.
Along these same lines, there is no reason to assume that the end host
will be trusted by the firewall sufficiently such that a POLICY exchange
would be allowed. It is one thing to say, "Permission denied", and
quite something else to say when one will deny permission. SLs and IPv6
provide neither advance nor regression in this regard.
I take exception to this:
I agree to a point. My button is pushed by those that claim a technology
'creates more problems than it solves', when they simultaneously admit
they don't have a clue what problems need solving.
Most of us -- MOST OF US -- have a clue. That you refuse to recognize
it and respect those opinions is unfortunate.
To that end I started
a draft on what problems need solving, so we can sort out the cases that
the current technology does solve, as well as begin to identify
alternatives. IF we get to a point were there are alternatives for all
the cases people care about, we should drop the unused technology.
And many of us have been saying that we have something that works today,
RIR policies not withstanding. It's IPv4.
Eliot