RE: Why Scopes? (was: Re: [saad] About saad)

Erik Nordmark <Erik.Nordmark@sun.com> Tue, 21 October 2003 13:11 UTC

Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA16454 for <saad-archive@odin.ietf.org>; Tue, 21 Oct 2003 09:11:27 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1ABwHz-0005h9-Mn for saad-archive@odin.ietf.org; Tue, 21 Oct 2003 09:11:08 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id h9LDB7Rb021892 for saad-archive@odin.ietf.org; Tue, 21 Oct 2003 09:11:07 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1ABwHz-0005h1-Di for saad-web-archive@optimus.ietf.org; Tue, 21 Oct 2003 09:11:07 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA16404 for <saad-web-archive@ietf.org>; Tue, 21 Oct 2003 09:10:56 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1ABwHx-0003Gf-00 for saad-web-archive@ietf.org; Tue, 21 Oct 2003 09:11:06 -0400
Received: from ietf.org ([132.151.1.19] helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 1ABwHx-0003Gb-00 for saad-web-archive@ietf.org; Tue, 21 Oct 2003 09:11:05 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1ABwHs-0005fG-Uj; Tue, 21 Oct 2003 09:11:00 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1ABwHA-0005TZ-GK for saad@optimus.ietf.org; Tue, 21 Oct 2003 09:10:16 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA16364 for <saad@ietf.org>; Tue, 21 Oct 2003 09:10:05 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1ABwH8-0003GG-00 for saad@ietf.org; Tue, 21 Oct 2003 09:10:14 -0400
Received: from brmea-mail-3.sun.com ([192.18.98.34]) by ietf-mx with esmtp (Exim 4.12) id 1ABwH7-0003GC-00 for saad@ietf.org; Tue, 21 Oct 2003 09:10:13 -0400
Received: from bebop.France.Sun.COM ([129.157.174.15]) by brmea-mail-3.sun.com (8.12.10/8.12.9) with ESMTP id h9LD0u5u002057; Tue, 21 Oct 2003 07:00:57 -0600 (MDT)
Received: from lillen (lillen [129.157.212.23]) by bebop.France.Sun.COM (8.11.7+Sun/8.10.2/ENSMAIL,v2.2) with SMTP id h9LD0uS16805; Tue, 21 Oct 2003 15:00:56 +0200 (MEST)
Date: Tue, 21 Oct 2003 14:54:50 +0200 (CEST)
From: Erik Nordmark <Erik.Nordmark@sun.com>
Reply-To: Erik Nordmark <Erik.Nordmark@sun.com>
Subject: RE: Why Scopes? (was: Re: [saad] About saad)
To: Michel Py <michel@arneill-py.sacramento.ca.us>
Cc: James Kempf <kempf@docomolabs-usa.com>, saad@ietf.org
In-Reply-To: "Your message with ID" <DD7FE473A8C3C245ADA2A2FE1709D90B06C66A@server2003.arneill-py.sacramento.ca.us>
Message-ID: <Roam.SIMC.2.0.6.1066740890.9924.nordmark@bebop.france>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Sender: saad-admin@ietf.org
Errors-To: saad-admin@ietf.org
X-BeenThere: saad@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/saad>, <mailto:saad-request@ietf.org?subject=unsubscribe>
List-Id: Scope Addressing Architecture Discussion <saad.ietf.org>
List-Post: <mailto:saad@ietf.org>
List-Help: <mailto:saad-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/saad>, <mailto:saad-request@ietf.org?subject=subscribe>

> For the business/enterprise is where scoping comes to a use. In this
> case, scoping != not-publicly-routable. There are perfectly valid uses
> for publicly routable but nevertheless scoped addresses. In this
> environment, the use of RFC1918 addresses provides both a fail-safe
> against firewall/access-list SNAFUs, and a supplemental annoyance for
> hackers. None of these are miracles, but are part of defense-in-depth
> strategies and are palatable to the taste of the experienced enterprise
> operators that do not like to have all the eggs in the same basket.

One could argue that the defense in depth against misconfiguring firewalls
could be handled with a different UI-abstraction in an existing firewall.

For instance, being able to declare that a set of IP address ranges or
interfaces on the firewall are "outbound only" (what NAT gives you)
and no other rule in the firewall config can override this.
This separation of the "outbound only" set of nodes seems to be to provide
the same defense-in-depth as NAT when used for the above purpose.
Whether it would provide the same perception of confort is a different matter.

  Erik

  


_______________________________________________
Saad mailing list
Saad@ietf.org
https://www1.ietf.org/mailman/listinfo/saad