RE: draft-vandevelde-v6ops-nap-01.txt - "maybe add a bit more on proxy servers ..."

["Li, Qing" <qing.li@bluecoat.com>]

> 
> If the proxy breaks, 
> devices would not be able to access the resources they may 
> still have an IP layer path to. Proxys are worth avoiding for 
> the same reason NAT is.
> 

   Actually for a transparent proxy if it breaks, and you still
   a valid path then the requests go directly to the origin
   server. This is more of a problem for explicit proxy but then 
   in that case user can easily discover the proxy is broken.

>
> whether it changes surrepticiously or not. I first came 
> across this idea in Steve Bellovin's paper, "Distributed Firewalls", 
> 
> http://www.cs.columbia.edu/~smb/papers/distfw.html
> 
> Secondly, deploying policy to the end hosts also provides the 
> best user granularity with the policy, as generally, it is 
> one end-user to one host. Identifying users at a per-host 
> level tends to be easier than network based identification 
> mechanisms. They also tend to be more fault tolerant, as a 
> failed policy (e.g., deny all access) on a user's host only 
> effects the single user, rather than a significantly larger 
> user population.
>
   
    I haven't read the paper, but just reading the above,
    I wonder why would tie in one end-user to one host be a 
    benefit ?

    A host can be used by multiple users, and each user needs to
    be authenticated possibly centrally to determine what network
    resources the user is allowed to access.

    The policy should be managed centrally and should follow the 
    user and should be session based. When a host crashes it does 
    not take down any policy and the user just go somewhere else 
    and resume work.
 
	-- Qing