Michael,
For instance, a reason to create a new network "zone" is because we
don't provide printers with decent access control lists (authorization),
instead, we make them wide open and then throw WPA on the wireless so
that it's "secure", and then assume if you've authenticated, you are
authorized to print.
IPv6 would make that a new subnet, no additional layer of NAT, and do
the authorization by IP address.
Huh? Why would one authorize access to a printer on a per-address basis?
Why should every user on the same computer have the same access rights
to the printer? -- This is probably a hint that, even if deployable,
IPsec may not be want you need/want.
(with SEND to secure the mapping!)
And you argued against overly complex networks?
Sigh.... (paraphrasing you) "and then we throw IPsec and SEND so that
it's secure, and then assume that if your IP address is authorized, the
user at that IP address is authorized to print".
Thanks,
--
Fernando Gont
e-mail: fernando(_at_)gont(_dot_)com(_dot_)ar || fgont(_at_)acm(_dot_)org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf