IETF Logo Mail Archive

RE: ISMS working group

"Fleischman, Eric" <eric.fleischman@boeing.com> Thu, 08 September 2005 18:04 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EDQlG-0001bX-Py; Thu, 08 Sep 2005 14:04:34 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EDQlD-0001bJ-S1; Thu, 08 Sep 2005 14:04:32 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA06521; Thu, 8 Sep 2005 14:04:29 -0400 (EDT)
Received: from blv-smtpout-01.boeing.com ([130.76.32.69]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EDQob-0003CH-Na; Thu, 08 Sep 2005 14:08:04 -0400
Received: from stl-av-01.boeing.com ([192.76.190.6]) by blv-smtpout-01.boeing.com (8.9.2.MG.10092003/8.8.5-M2) with ESMTP id LAA20967; Thu, 8 Sep 2005 11:04:12 -0700 (PDT)
Received: from XCH-NWBH-11.nw.nos.boeing.com (localhost [127.0.0.1]) by stl-av-01.boeing.com (8.11.3/8.11.3/MBS-AV-LDAP-01) with ESMTP id j88I4BS07989; Thu, 8 Sep 2005 13:04:12 -0500 (CDT)
Received: from XCH-NW-6V1.nw.nos.boeing.com ([130.247.55.53]) by XCH-NWBH-11.nw.nos.boeing.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 8 Sep 2005 11:04:08 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
Date: Thu, 08 Sep 2005 11:04:07 -0700
Message-ID: <474EEBD229DF754FB83D256004D02108BBC907@XCH-NW-6V1.nw.nos.boeing.com>
Thread-Topic: ISMS working group
Thread-Index: AcW0jcYmXyoKVA3cTBWrDE6Pg6Hq5wADWIhw
From: "Fleischman, Eric" <eric.fleischman@boeing.com>
To: Ken Arnold <arnold@moonhill.org>, Eliot Lear <lear@ofcourseimright.com>
X-OriginalArrivalTime: 08 Sep 2005 18:04:08.0323 (UTC) FILETIME=[B53A6530:01C5B49F]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: a7d6aff76b15f3f56fcb94490e1052e4
Content-Transfer-Encoding: quoted-printable
Cc: iesg@ietf.org, ietf@ietf.org
Subject: RE: ISMS working group
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org

Ken,

I appreciated your posting but I surmise that what we may have here is a
divergence in world views. I suspect that many readers of your and
Eliot's postings view the current Internet topology as consisting of
autonomous systems linked to the Internet via BGP connections and
perimeter-defense firewalls. People with this world view probably
believe that the management station is always on the same side of the
firewall as the managed devices. However, you and I have a different
perspective in which the concept of "corporate perimeter" has been
modified, such that there are potentially many diverse local reasons why
a single policy zone may need to manage devices across firewalls.

Specifically, large end users often have business relationships that
cause our perimeter defense system to become "porous". For perhaps the
past seven years it has no longer been the case that all of the network
resources for many Fortune 100 companies have been inside their
firewalls. I am not talking about the "mobile user" who, on business
trips, for example, may need to access corporate resources through
Radius servers. I am rather talking about enduring business
relationships that cause corporations to "open up" their perimeters to
other entities for specific business reasons, including possibly
defining joint deployments together or establishing "islands" of one
corporation within the networks of another. In addition, it is not
unknown for some intra-corporate entity to conclude that their
activities are "too important" or "too sensitive" to trust other
corporate entities such that they deploy firewalls internally within the
corporation itself. If there is an incongruence between management
responsibilities and firewall placement, a subset of devices will be
managed across firewalls. Such is life in the subset of the real world
with which I am familiar.

--Eric

>Ignoring these relegates any solution to 
>theoretical situations or very small in- 
>home or in-group solutions.  Then someone else will have to figure  
>out some way to manage anything larger scale, which will be able to  
>also handle small scale and so will overwhelm the non-firewalling,  
>non-NAT-ing designs.  But only after such a relatively impotent  
>design confuses the world by adding yet one more standard to chose
from.

_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

v2.23.0 | Report a Bug | By Email