On Wed, 8 Dec 1999, Keith Moore wrote:
> actually, I'm recently forming a radical opinion that firewalls
> need to be first-class components of the internet architecture.
I don't think that's radical, but some people think I'm radical, so it
might not matter :-)
> as authentication for services at their destination. that is, we
> need to be able to attach (perhaps multiple) credentials to packets,
> that stay with those packets end-to-end rather than having to do
> tunneling. those credentials (sadly) may need to be based on both
> user identity and current network location. it should follow that
> (c) IP addresses have nothing to do with authentication in such a
> world - there will be too many cases where trust boundaries and IP
> topology don't coincide, and trying to do VPN-like things for all
> of the different things you want to authenticate to from the
> same host will be too hairy.
I agree with this... My earlier point about ALG's wasn't intended to be in
support of NAT (I specifically disclaimed that, in fact), nor was it
intended to suggest that trust boundaries and IP topology coincide (even
though my examples were of situations where they did).
I guess I was being too specific about a perhaps more general problem,
which is that of allowing border devices to act as proxies, agents,
interlopers, etc., for interior devices. Whether "border" and "interior"
are defined in IP topology terms for a given installation or in
authenticated identity and trust relationship terms is, I think,
immaterial. The point is not to *assume* that the actual endpoint (as
specified by the IP/port tuple) is going to be the one engaging in all
phases of the interaction on its own behalf, and to consider how that
non-assumption affects the protocol designs.
That is, NAT has taught us a lesson. NAT is bad, but the lesson is good.
Don't throw the lesson out with the NAT.
Furthermore, I'm not asking anyone to solve the problem of how you
maintain those proxies or ALGs or whatever they are. I'm simply asking
folks not to build a world in which they cannot work without significant
"hackish" after-engineering.
--
Tripp Lilley * [EMAIL PROTECTED] * http://stargate.sg505.net/~tlilley/
------------------------------------------------------------------------------
"There are plenty of things out there that people should be offended about.
Put your indignation into some more productive and appropriate fight."
- Larry Rosensweig
in http://www.cnn.com/1999/US/12/03/pokemon.swastika.ap/index.html
