[ppml] ULA

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>>>>> "Randy" == Randy Bush <randy at psg.com> writes:
    >> All ULA space (L, C, G, or whatever) will come out of a single /7, which 
    >> should be route-filtered on all DFZ routers.

    Randy> the problem is the same old site local problem, what is a border.  this
    Randy> is exacerbated in ula-c by expecting conversation between 'private'
    Randy> spaces.  so you will have semi-permeable borders.  so i share part of my
    Randy> space with my vendor to the left, part with my customers to my right,
    Randy> and ...

  Randy, but you missed the point.
  The ULA proposal should say that all routers, everywhere, should
filter ULA/7 space --- by this I mean, blackhole route, not ACL. (Plus
ingress filtering on source IPs)

  Then, when you want to have semi-permeable borders, you permit
specific /32 or /48s through.  This is MUCH easier than with site-local
addresses, because the router is assured that it doesn't have the same
site-local address on two interfaces.

  Further, the reason I don't like rfc4193 for use in other than ad-hoc
networks is that a third party can't tell who an address belongs to. So,
when you *do* get:

    Randy> can you say "massive misconfiguration and leakage" three times quickly?

  you can use whois to find out who it belongs to.
  In the absense of ULA-Vixie (which letter is your's Paul?), people
like me are going to ask for PI space. (Thank you to those who offered
me a /48 out of their assignment, btw)

- -- 
Michael Richardson <mcr at xdsinc.net>
XDS Inc, Ottawa, ON             
Personal: http://www.sandelman.ca/mcr/ 



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iQDVAwUBRu/ndu0sRu40D6vCAQKgMgX+M5b/lk1dCiWhhBXfDOPTp7OoWRyzFxjh
n5e6qqnXMNPldUCTI+oxL9L1DNs7dVbUh6vPHxDevJbcwCx29EA8XP8BTUSLktZf
Zpcs5IdA5cSN9elAoZVaUq4bPpJOdG+GthSCAqRgcQ3Eqt8RY7MD3LLvDclHppy0
55H4jL9mUiKLhuOCQ86VdmLY+rhrAI3GEkHzDF7slNqzRbgqYodJgckd+q+QD6KU
/jnlfx4Pq461MVP/D6fCAc3x6Iac4gNr
=jeIi
-----END PGP SIGNATURE-----