> Let's take two steps back, stop discussing possible solutions for a > moment and discuss the problem statement. I'd like it to be possible for > an enterprise to: > > - Have resources (i.e nodes or services) that are accessible > only to sub-groups within the enterprise (i.e. > departments). Example: a printer that only marketing > is allowed to use. > - Have resources that are available to the whole enterprise, > but that are not accessible outside the enterprise. > Example: An HR benefits website. > - Have resources that are available on an extranet (between a > selected group of enterprises) that are not accessible > to all other enterprises. Example: A supplier/customer > network. > - Have resources that are globally available, and be able to > send global traffic. Example: Google. > > All of these things can be achieved without site-locals, using > provider-allocated global addresses and appropriate configurations of > firewalls, ACLs, route filtering and split DNS.
I'm entirely in agreement with the above. However perhaps even another step back is in order. *any* use of addresses for access control is a dubious idea at best. there are too many internal threats, and too many ways to tunnel external threats to an 'interior' node. so I think the purpose of packet and route filtering is not to allow addresses to be used for access control, but instead to protect the network itself (say against DoS attacks) and to make it easier to analyze your network for threats. for instance, by restricting the number of hosts that can receive external traffic from port 80, you only have to analyze the cgi scripts on those hosts that are authorized. but you still need to do port scans on your other hosts to make sure that they're not running unauthorized web servers. and you still need to require good authentication for any resource that is worth protecting. I'm all for having flexible address filtering, but let's not sell it as an access control mechanism. Keith -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
