RE: Why Scopes? (was: Re: [saad] About saad)

"Michel Py" <michel@arneill-py.sacramento.ca.us> Tue, 21 October 2003 15:08 UTC

Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA22482 for <saad-archive@odin.ietf.org>; Tue, 21 Oct 2003 11:08:27 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1ABy7D-0004Gj-F0 for saad-archive@odin.ietf.org; Tue, 21 Oct 2003 11:08:08 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id h9LF87vY016394 for saad-archive@odin.ietf.org; Tue, 21 Oct 2003 11:08:07 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1ABy7C-0004GD-Rz for saad-web-archive@optimus.ietf.org; Tue, 21 Oct 2003 11:08:06 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA22470 for <saad-web-archive@ietf.org>; Tue, 21 Oct 2003 11:07:54 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1ABy7A-0004lP-00 for saad-web-archive@ietf.org; Tue, 21 Oct 2003 11:08:04 -0400
Received: from ietf.org ([132.151.1.19] helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 1ABy79-0004lM-00 for saad-web-archive@ietf.org; Tue, 21 Oct 2003 11:08:03 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1ABy77-0004D9-Ck; Tue, 21 Oct 2003 11:08:01 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1ABy6I-0003pB-7i for saad@optimus.ietf.org; Tue, 21 Oct 2003 11:07:10 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA22427 for <saad@ietf.org>; Tue, 21 Oct 2003 11:06:57 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1ABy6F-0004kZ-00 for saad@ietf.org; Tue, 21 Oct 2003 11:07:07 -0400
Received: from adsl-209-233-126-65.dsl.scrm01.pacbell.net ([209.233.126.65] helo=arneill-py.sacramento.ca.us) by ietf-mx with esmtp (Exim 4.12) id 1ABy6E-0004k7-00 for saad@ietf.org; Tue, 21 Oct 2003 11:07:07 -0400
Subject: RE: Why Scopes? (was: Re: [saad] About saad)
Date: Tue, 21 Oct 2003 08:06:35 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Message-ID: <DD7FE473A8C3C245ADA2A2FE1709D90B06C69A@server2003.arneill-py.sacramento.ca.us>
Content-class: urn:content-classes:message
X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0
Thread-Topic: Why Scopes? (was: Re: [saad] About saad)
Thread-Index: AcOX1VwcowBKRoYJQAm7v5pHBsBafwACxkJA
From: "Michel Py" <michel@arneill-py.sacramento.ca.us>
To: "Erik Nordmark" <Erik.Nordmark@sun.com>
Cc: "James Kempf" <kempf@docomolabs-usa.com>, <saad@ietf.org>
Content-Transfer-Encoding: quoted-printable
Sender: saad-admin@ietf.org
Errors-To: saad-admin@ietf.org
X-BeenThere: saad@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/saad>, <mailto:saad-request@ietf.org?subject=unsubscribe>
List-Id: Scope Addressing Architecture Discussion <saad.ietf.org>
List-Post: <mailto:saad@ietf.org>
List-Help: <mailto:saad-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/saad>, <mailto:saad-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: quoted-printable
Content-Transfer-Encoding: quoted-printable

Erik,

> Erik Nordmark
> For instance, being able to declare that a set of IP address
> ranges or interfaces on the firewall are "outbound only"
> (what NAT gives you) and no other rule in the firewall
> config can override this.

That's what I have a problem with. There are always ways to override
things; doing so is a significant part of SNAFUs. This is why scoping
comes to mind: no matter how bad one misconfigures the firewall, there
is another line of defense.

Keep in mind that at times firewalls that do not NAT could be replaced
by a cross-over cable (for short periods of time, in case of upgrades
for example). I know, nobody is supposed to do that; nevertheless it is
being done every day. When there are two physical firewalls that
replicate hard state between them, you can take one off-line, upgrade it
and then do the same with the other one, but this is not always the
case.


> This separation of the "outbound only" set of nodes seems to
> be to provide the same defense-in-depth as NAT when used for
> the above purpose.

Perhaps, but this is not typically what enterprises are interested in
when they want scoping. The purpose of scoping is to make no
communication possible, not egress-only (because egress-only could be
used to create a tunnel).

Michel.


_______________________________________________
Saad mailing list
Saad@ietf.org
https://www1.ietf.org/mailman/listinfo/saad