> For the business/enterprise is where scoping comes to a use. In this
> case, scoping != not-publicly-routable. There are perfectly valid uses
> for publicly routable but nevertheless scoped addresses. In this
> environment, the use of RFC1918 addresses provides both a fail-safe
> against firewall/access-list SNAFUs, and a supplemental annoyance for
> hackers. None of these are miracles, but are part of defense-in-depth
> strategies and are palatable to the taste of the experienced enterprise
> operators that do not like to have all the eggs in the same basket.
One could argue that the defense in depth against misconfiguring firewalls
could be handled with a different UI-abstraction in an existing firewall.
For instance, being able to declare that a set of IP address ranges or
interfaces on the firewall are "outbound only" (what NAT gives you)
and no other rule in the firewall config can override this.
This separation of the "outbound only" set of nodes seems to be to provide
the same defense-in-depth as NAT when used for the above purpose.
Whether it would provide the same perception of confort is a different matter.
Erik
_______________________________________________
Saad mailing list
Saad@ietf.org
https://www1.ietf.org/mailman/listinfo/saad
