RE: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt
2007-07-02 19:01:27
That is pretty much it
The one additional point being that we all take a realistic view of what people
out there will actually pay for and what they will actually use.
I can manage get people to pay for security. Getting them to then use the
security they have paid for is a much harder problem. How many of us have
installed S/MIME or PGP, how many people use them?
The reason I am raising these issues is not to be defeatist. I think that we
can solve these problems but only if we are prepared to build a solution around
the one problem that every CIO has to take notice of - the cost of
administration.
I don't mean one of those marketecture TCO type jobs either where someone
spends $100K to save $300K in hypothetical costs. I mean a system where the
incremental costs are no more than $0.25 per device and the savings are clearly
two orders of magnitude greater than the costs.
There is a large consortium of bit IT customers calling itself Jericho Forum
that is talking about deperimeterization and the need for a new network
architecture. So far they have not really found one but when they do they have
the power to make every vendor sit up and take notice as they are going to
write a requirement to support their architecture into every RFP they issue.
They want security and they understand that cost of administration is a major
issue they need to control.
It would be to everyone's advantage if the architecture they decide on also
makes a transition to IPv6 easy and painless.
From: David Morris [mailto:dwm(_at_)xpasc(_dot_)com]
As the administrator of several small networks, it is quite
simple. By re-writing the address, the NAT is a defacto
default deny. I have a lot more trust in the simplicity of a
basic NAT in a consumer firewall then I do in any firewall
which has to examine each packet for conformance to complex
policy rules.
But, this misses the point I see in Phillips discussion... I
read his ultimate proposal as:
a. Stop bashing NAT, it provides value in the current network and
has prevented a total meltdown which would have happened if every
early OS were directly attached to the internet
b. REPLACE NAT with a default deny infrastructure ... more than
just a single FW choke point.
On Mon, 2 Jul 2007, Melinda Shore wrote:
On 7/2/07 11:14 AM, "Hallam-Baker, Phillip"
<pbaker(_at_)verisign(_dot_)com> wrote:
There is no other device that can provide me with a lightweight
firewall for $50.
Of course there is - the same device that's providing the NAT.
NAT by itself is intrinsically policy-free, although it implements
policy as a side-effect. I'm unclear on why you think that a
default-deny policy is better implemented on a NAT than on
a firewall.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, (continued)
- Re: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Jun-ichiro itojun Hagino
- Re: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Keith Moore
- RE: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Hallam-Baker, Phillip
- Re: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Jun-ichiro itojun Hagino
- Re: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Jun-ichiro itojun Hagino
- Re: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Jun-ichiro itojun Hagino
- RE: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, michael.dillon
- RE: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Hallam-Baker, Phillip
- Re: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Marshall Eubanks
- RE: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Hallam-Baker, Phillip
- RE: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt,
Hallam-Baker, Phillip <=
- Re: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Melinda Shore
- Re: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Stephen Sprunk
- Re: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Brian E Carpenter
- Re: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Jeroen Massar
- Re: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Jun-ichiro itojun Hagino
- Re: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Douglas Otis
- Re: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Mark Andrews
- RE: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Jun-ichiro itojun Hagino
- Message not available
- RE: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, SM
- RE: Domain Centric Administration, RE: draft-ietf-v6ops-natpt-to-historic-00.txt, Hallam-Baker, Phillip
|
|
|