What we need is an architecture for multilayered defense that allows
centralized policy specification (which is merged with host policy)
and which is application-aware.
You mean like midcom?
no. for the most part, apps shoudn't have to be aware of the existence
of middleboxes, and there shouldn't be an either/or decision about
trustworthiness of the app. (you might make an exception for certain
kinds of explicit proxies.) rather the middleboxes and apps should all
be made aware of the network's policy and all expected to enforce it at
a level which is consistent with their function. there should be
strict limits as to the degree to which a middlebox can interfere with
e2e traffic. other components, e.g. intrusion detection should also be
made aware of the policy so that they can detect when it is violated
and raise appropriate alarms.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf