RE: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-histori

That is pretty much it

The one additional point being that we all take a realistic view of what people 
out there will actually pay for and what they will actually use.

I can manage get people to pay for security. Getting them to then use the 
security they have paid for is a much harder problem. How many of us have 
installed S/MIME or PGP, how many people use them?


The reason I am raising these issues is not to be defeatist. I think that we 
can solve these problems but only if we are prepared to build a solution around 
the one problem that every CIO has to take notice of - the cost of 
administration.

I don't mean one of those marketecture TCO type jobs either where someone 
spends $100K to save $300K in hypothetical costs. I mean a system where the 
incremental costs are no more than $0.25 per device and the savings are clearly 
two orders of magnitude greater than the costs.


There is a large consortium of bit IT customers calling itself Jericho Forum 
that is talking about deperimeterization and the need for a new network 
architecture. So far they have not really found one but when they do they have 
the power to make every vendor sit up and take notice as they are going to 
write a requirement to support their architecture into every RFP they issue.

They want security and they understand that cost of administration is a major 
issue they need to control.

It would be to everyone's advantage if the architecture they decide on also 
makes a transition to IPv6 easy and painless.


> From: David Morris [mailto:dwm(_at_)xpasc(_dot_)com] 
> As the administrator of several small networks, it is quite 
> simple. By re-writing the address, the NAT is a defacto 
> default deny. I have a lot more trust in the simplicity of a 
> basic NAT in a consumer firewall then I do in any firewall 
> which has to examine each packet for conformance to complex 
> policy rules.
>
> But, this misses the point I see in Phillips discussion... I 
> read his ultimate proposal as:
>   a. Stop bashing NAT, it provides value in the current network and
>      has prevented a total meltdown which would have happened if every
>      early OS were directly attached to the internet
>   b. REPLACE NAT with a default deny infrastructure ... more than
>      just a single FW choke point.
>
> On Mon, 2 Jul 2007, Melinda Shore wrote:
>
> > On 7/2/07 11:14 AM, "Hallam-Baker, Phillip" 
> <pbaker(_at_)verisign(_dot_)com> wrote:
> > > There is no other device that can provide me with a lightweight 
> > > firewall for $50.
> > Of course there is - the same device that's providing the NAT.
> >
> > NAT by itself is intrinsically policy-free, although it implements 
> > policy as a side-effect.  I'm unclear on why you think that a 
> > default-deny policy is better implemented on a NAT than on 
> a firewall.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf