Pekka,I am a network manager. The fact I might not get fired as the result of a big
We are talking about the way enterprise network managers think about their networks.
These are people who *will* get fired if their network is seriously penetrated. In fact, I expect quite a few will be fired in the near future because of inadequate protection against the current virus pandemic. These are people who *will* insist on every single way of limiting access. They will agree that security by obscurity is only a partial solution, but they add it to all the other partial solutions.
They will *not* tolerate a solution in which misconfigured ACLs in
border routers could expose the RPC ports on individual Windows boxes to packets from outside the enterprise. That's in addition to compelling all employees to install the MS03-26 patch and a personal firewall.
In this context, some form of private address space is not even slightly optional. Even when RFC 1597 was published, the above pressures were there. They are 100 times greater now.
So it's simply inevitable that enterprises will use private
(i.e. non-PA, non-routeable) space. Our challenge is to make it
as good as we can.
compromise is more a function of Swedish management culture than anything
else. I have had the perverse pleasure of watching large coorporations and
agencies in Sweden crash and burn during the last two weeks while we kept
afloat.
Here comes the punchline: ACLs (in whatever form) do not help as much as most people think against current viruses and woms. Why you ask? Because someone invariably will bring their laptop to work and kaboom. The added protection you get from a private address space is isn't worth the bits the configuration is stored in.
Could we please stop talking about scoped addressing as a solution to security
problems? It is not and furthermore even the guys in the trenches who pipeline
firewalls for "extra protection" are waking up to this fact. Very uncomfortably.
These are real honest-to-god experiences from the real world. Lately when coming
to the IETF I keep hearing that participation from operators and network managers
are important. The SL/LL/scope debate on this list has convinced me that it is
not only important but imperative.
Cheers Leifj
-------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
