>> In one hand, we want the capability to reach anywhere we're allowed to from >> home. OTOH, if anything in my home is reachable from anywhere, we are back >> to the firewall paradigm. >> > Why? You are still back to all the security disadvantages of firewalls - soft > chewy inside, etc. Reachability does not convey access authorization. Devices > must either protect themselves directly or delegate that protection to a > proxy of some sort (*not* necessarily a firewall).
It seems like to me we're making things very complex (?)... In any given network, there needs to be some amount of policy. Some of that policy is best centralized, some of it is best distributed. And more than one layer of defense is always better than only one layer of defense (though you can go overboard in the other direction). Take a house for instance... You have locked doors, and yet you still have passwords. You have passwords and safes, yet you still have locked doors... It's always a question of where the most efficient spot is to implement any bit of policy/security, not whether or not that policy/security is needed. Whether the policy that's needed is on something called a "firewall," or a "bridge between multiple control planes," or... It doesn't matter. Policy is policy. Or maybe I don't understand the question... :-) Russ _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
