"Fernando" == Fernando Gont <fernando(_at_)gont(_dot_)com(_dot_)ar>
writes:
>> For instance, a reason to create a new network "zone" is because we
>> don't provide printers with decent access control lists (authorization),
>> instead, we make them wide open and then throw WPA on the wireless so
>> that it's "secure", and then assume if you've authenticated, you are
>> authorized to print.
>> IPv6 would make that a new subnet, no additional layer of NAT, and do
>> the authorization by IP address.
Fernando> Huh? Why would one authorize access to a printer on a per-address
basis?
Fernando> Why should every user on the same computer have the same access
rights
Fernando> to the printer? -- This is probably a hint that, even if
deployable,
Fernando> IPsec may not be want you need/want.
Right now, everyone who knows the WPA2 key for the network can print.
I agree that the printer needs finer grained access controls.
IPsec, the specification, btw, has them, but they are not widely
implemented, and there has been no interest in the community towards any
kind of standard API for applications to be able to communicate with the
IPsec service about that.
--
] He who is tired of Weird Al is tired of life! | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr(_at_)sandelman(_dot_)ottawa(_dot_)on(_dot_)ca
http://www.sandelman.ottawa.on.ca/ |device driver[
Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
then sign the petition.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf