> Anythink mankind can lock, mankind can unlock. You will never get
> rid of firewalls. At least not in our lifetimes.
actually, I'm recently forming a radical opinion that firewalls
need to be first-class components of the internet architecture.
only: (a) they should be thought of as "access control checkpoints"
rather than as held responsible for authentication (just because
you can get through a firewall doesn't mean you're authenticated
for all services beyond that firewall), (b) we need authentication
mechanisms that allow our packets to traverse multiple firewalls
(including both ingoing and outgoing firewalls) and still serve
as authentication for services at their destination. that is, we
need to be able to attach (perhaps multiple) credentials to packets,
that stay with those packets end-to-end rather than having to do
tunneling. those credentials (sadly) may need to be based on both
user identity and current network location. it should follow that
(c) IP addresses have nothing to do with authentication in such a
world - there will be too many cases where trust boundaries and IP
topology don't coincide, and trying to do VPN-like things for all
of the different things you want to authenticate to from the
same host will be too hairy.
Keith
