Thread-topic: Why Scopes? (was: Re: [saad] About saad)
Erik,
> Erik Nordmark
> For instance, being able to declare that a set of IP address
> ranges or interfaces on the firewall are "outbound only"
> (what NAT gives you) and no other rule in the firewall
> config can override this.
That's what I have a problem with. There are always ways to override
things; doing so is a significant part of SNAFUs. This is why scoping
comes to mind: no matter how bad one misconfigures the firewall, there
is another line of defense.
Keep in mind that at times firewalls that do not NAT could be replaced
by a cross-over cable (for short periods of time, in case of upgrades
for example). I know, nobody is supposed to do that; nevertheless it is
being done every day. When there are two physical firewalls that
replicate hard state between them, you can take one off-line, upgrade it
and then do the same with the other one, but this is not always the
case.
> This separation of the "outbound only" set of nodes seems to
> be to provide the same defense-in-depth as NAT when used for
> the above purpose.
Perhaps, but this is not typically what enterprises are interested in
when they want scoping. The purpose of scoping is to make no
communication possible, not egress-only (because egress-only could be
used to create a tunnel).
Michel.
_______________________________________________
Saad mailing list
Saad@ietf.org
https://www1.ietf.org/mailman/listinfo/saad
