> So you're not arguing against scoped addresses per se, you're arguing > against having both scoped and global addresses on the same host? it turns out that this doesn't solve the problem. the addresses will still leak. apps will still be expected to cope with the mixture of ambiguous and unambiguous addresses. > I see the > same problem occuring if a host has two global addresses which are treated > differently by the firewall(s), I see that as a different problem - in particular, in that case there's no need for apps to cope with ambiguous IP addresses. as a result it's much clearer that it's unreasonable to expect apps to talk to the nodes whose traffic is being filtered. > The only SL-specific problem is when naughty applications pass network-layer > addresses across site boundaries which is a perfectly healthy and reasonable thing for apps to do. (not that they can tell where those site boundaries are anyway) > ; such applications must be "address aware" > anyways, so understanding SL isn't much of an incremental burden. using an address as an opaque identifier doesn't require address awareness. Keith