ietf
[Top] [All Lists]

Re: site-local != NAT

2003-05-01 11:38:16
My point was that there are topology locators that are only viable
within a scope defined by the local network manager.

yes, we know this.  it's a bad idea, and we need to stop 
pretending it's a legitimate thing to do.  that way, when the 
network manager does this, it's his fault when things break.

network managers do have legitimate needs that must be 
respected. this is not one of them.

So your position is that network managers are required to route all
prefixes in the global table, and access controls are to be removed

no, I probably misunderstood what you meant by 'viable'.

my position is that 

- ambiguous addresses are harmful;

- packet filtering based on addresses, and filtering of advertised
  routes, are not very good ways to implement host security, but the
  current state of authentication is such that these crude mechanisms
  cannot be dispensed with entirely anytime soon;

- apps need to be able to pass around tokens that are reliably and
  precisely associated with hosts, and which can be used to reliably
  and efficiently send  messages to hosts (modulo access control
  limitations), and DNS cannot adequately provide this service;

- forcing hosts to make the right choice from several  (source,
  destination) address pairs in order to successfully  send packets to a
  destination is unrealistic, especially when those choices require
  information that is not readily available to hosts or applications.

Keith



<Prev in Thread] Current Thread [Next in Thread>