ietf
[Top] [All Lists]

RE: Port numbers and IPv6(was: I-D ACTION:draft-klensin-iana-reg-policy-00.txt)

2005-07-19 19:01:27
At 2:35 PM -0700 7/19/05, Hallam-Baker, Phillip wrote:
 > Host and application security are not the job of the network.

They are the job of the network interfaces. The gateway between a
network and the internetwork should be closely controlled and guarded.

Nobody is really proposing embedding security into the Internet backbone
(at least not yet). But the backbone has always had controls enforced
such as ingress and egress filtering.

no, it does not, although many folks might like to believe this is true. relying on every ISP to perform such filtering also would be a blatant violation of the principle of least privilege anyway.

 Most people think that carriers
should not be allowing people to inject bogons.

Modern security architectures do not rely exclusively on application
security. If you want to connect up to a state of the art corporate
network the machine has to authenticate.

the notion that one has to "log into the net" is a quaint one, perhaps inspired by Windows and the registry. as a mac user, I can't relate to this notion, nor can most Unix users, I bet.

In the future every hub, every
router, every NIC will be performing policy enforcement.

if folks rely on such distributed enforcement, they will get what they deserve.

why not just propose rigorous enforcement of setting the evil bit by all network attachment devices, etc?

De-perimeterization is not really about removing the firewalls, it is
really about making every part of the *network* into a security control
point.

Firewalls were created, in part, because site admins realized that they were unable to perform configuration management for the many devices on their nets. a firewall was a device owned by the admin and under his control, and if it acted as a gatekeeper for the net, then his job was easier. the fact that it is am imperfect gatekeeper is a second order issue.

Steve

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf