[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: draft-vandevelde-v6ops-nap-01.txt - "maybe add a bit more on proxy servers ..."
> >
> > address time-of-day week-day bandwidth-alloc
> > --------------------------------------------------------------
> > IPv6-addr-X 9:00AM - 3:00PM M,W,TH,F X-kbps
> >
> > would be difficult to enforce if IPv6-addr-X either
> constantly remaps
> > to a different node, or if the node constantly replaces IPv6-addr-X
> > with something else.
> >
>
> The key term here is identification. When you identify using
> a network layer address, you aren't really identifying a
> person, you are identifying a node,
>
No disagreement here at all WRT to node vs. user identification
and the corresponding level of policy application and enforcement.
One important differentiator between a proxy and a firewall is
in proxy's ability to define higher level rules and enforce those
rules.
The point of the discussion, however, was that there may exist
situations where a network administrator may want to write
a policy based on a node id instead of a policy based on individual
users. For example, a large corporation may have designated nodes
on designated subnets for access by contractors and interns. The
egress proxy may contain such policies. I also don't want to assume
the various network topologies in which the proxies are deployed and
the types of policy rules that make sense in those different
topologies.
The discussions carried in the NAP draft document on the addresses
and mechanisms on hiding networks, IMHO, impact the deployment and
operations of proxies that are becoming ever more popular in
enterprise
environments. Therefore, I feel the doc should address the proxy
space.
-- Qing