[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RRG] Six/One: A (Different) Solution for Routing and Addressing in IPv6




[Sorry for the delay in responding, I'm still catching up after vacation...]

On Jul 16, 2007, at 3:36 AM, Brian E Carpenter wrote:

The alternative approach is that the necessary policy and preference
table is automatically distributed to all hosts in the site from
a central point; that would of course require overhead in every host
(but RFC 3484 already assumes such overhead).


Unfortunately, distributing policy is NOT the same as having an effective policy. In an enterprise of any significant size, the number of hosts that is not completely under the control of the local administration can be quite large. Those host may or may not comply with the policy as distributed, either due to non-implementation of the policy mechanisms, incorrect implementation, or outright malfeasance.

Yes, I realize that this is analogous to the architecture argument about firewalls vs the end-to-end principle that we've debated for about 20 years now and still do not have consensus on. No, I don't mean to reopen that. I will point out that the practical necessity for firewalls does exist, and therefore the facilities exist in reality.

Similarly pragmatic thinking suggests that enterprise administrators will take whatever steps necessary to ensure that they have a proxy solution. Given that, it would be greatly preferable in my mind if we architected the solution rather than letting it evolve.

Tony

--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg