RE: network controls are neccessary

["Michel Py" <michel@arneill-py.sacramento.ca.us>]

Erik,

> Erik Nordmark wrote:
> For instance, would it make sense to push
> all of the rules into the hosts

Be careful, Craig might have a heart attack just at the thought of doing
it. There would be terrible security consequences. I don't see how this
could be anything else than pushing subnet-specific rules to the hosts
that belong to the subnet.

> or is the set of rules so large that a host-based
> solution would need to cache subsets of the rules
> on demand?

It's not a matter of size but complexity.

First, the hosts do not have the intelligence that routers have. For
example, how long is it going to take before all hosts implement the
equivalent of a route-map? Are you going to enable an IP phone to
process BGP communities? Pushing all the rules to hosts would imply
either:

a) The hosts to have the same routing capabilities as routers currently
have.
b) The rules have to be modified to accommodate dumber hosts.

Second, part of the configuration of a router is the router's location,
which is implied. Pushing policies to the hosts would require a coupling
between the topological database and the routing policies that is beyond
what most large companies typically have (not to mention that it is
questionable that such a monster could be maintained).

One in the other, the sad truth is that multiple addresses per host do
not fly in the large organization. What is not flying either is policy
that is not at the edge for egress traffic (stateful firewall issues,
etc). We have had multiple posts about this on mh.

There is nothing fundamentally wrong in having multihoming schemes that
use several addresses, but this should be virtualized at the edge of the
network, which is basically what MHAP does.

Michel.