Domain isolation is good up to the point that "Option C style" is needed (for E2E services, without any GW in the middle) Then domain isolation would become not so isolated. It is the rear case now, but Cloud/DC is a good example of when it is better not to have an additional gateway for service stitching. Ed/ -----Original Message----- From: Gert Doering [mailto:gert@space.net] Sent: Thursday, February 24, 2022 9:20 PM To: Vasilenko Eduard <vasilenko.eduard@huawei.com> Cc: Jeroen Massar <jeroen@massar.ch>; Gert Doering <gert@space.net>; JORDI PALET MARTINEZ via ipv6-wg <ipv6-wg@ripe.net> Subject: Re: [ipv6-wg] Hijacking unused address space for a private infrastructure - any legal consequences? Hi, On Thu, Feb 24, 2022 at 06:11:59PM +0000, Vasilenko Eduard via ipv6-wg wrote:
Eh. So, you might want to consider not deploying insecure technology (SRv6) that has very obvious security problems, as has been pointed out on the various IETF lists, or misusing address space for something it is not meant for.
The next solution in the same draft https://datatracker.ietf.org/doc/html/draft-ietf-spring-srv6-srh-compr ession-00 does not have the same problem. It has just one copy of the prefix in the destination address. Hence, it could be any length (even bigger the /64).
Much better wrt address consumption, but still SR6 has unsolved security problems. As a consequence, SR6 can only be deployed if your network is fully disconnected from everyone else (including possibly untrusted customers) - and if you have that, it does not really matter what addresses you use. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279