Ken,
I appreciated your posting but I surmise that what we may have here is a
divergence in world views. I suspect that many readers of your and
Eliot's postings view the current Internet topology as consisting of
autonomous systems linked to the Internet via BGP connections and
perimeter-defense firewalls. People with this world view probably
believe that the management station is always on the same side of the
firewall as the managed devices. However, you and I have a different
perspective in which the concept of "corporate perimeter" has been
modified, such that there are potentially many diverse local reasons why
a single policy zone may need to manage devices across firewalls.
Specifically, large end users often have business relationships that
cause our perimeter defense system to become "porous". For perhaps the
past seven years it has no longer been the case that all of the network
resources for many Fortune 100 companies have been inside their
firewalls. I am not talking about the "mobile user" who, on business
trips, for example, may need to access corporate resources through
Radius servers. I am rather talking about enduring business
relationships that cause corporations to "open up" their perimeters to
other entities for specific business reasons, including possibly
defining joint deployments together or establishing "islands" of one
corporation within the networks of another. In addition, it is not
unknown for some intra-corporate entity to conclude that their
activities are "too important" or "too sensitive" to trust other
corporate entities such that they deploy firewalls internally within the
corporation itself. If there is an incongruence between management
responsibilities and firewall placement, a subset of devices will be
managed across firewalls. Such is life in the subset of the real world
with which I am familiar.
--Eric
Ignoring these relegates any solution to
theoretical situations or very small in-
home or in-group solutions. Then someone else will have to figure
out some way to manage anything larger scale, which will be able to
also handle small scale and so will overwhelm the non-firewalling,
non-NAT-ing designs. But only after such a relatively impotent
design confuses the world by adding yet one more standard to chose
from.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf