Yes, this is good stuff. But I don't think distributed firewalling on its own is the full answer.
I think it's pretty clear at this point that there is no full answer, or that if there is it's multi-component and situation- dependent. I think that it's pretty clear that we need to make sure that we're allowing network administrators better control of their own networks, and distributed firewalling can anchor that (how security policy is passed around). Unfortunately I think there will continue to be a need for firewalls at network borders, at least towards the edge. NAT doesn't properly belong in this discussion but since it's here anyway it should be regarded as part of the network border packet filtering whatever and probably ought to be included in participation in enforcing security policy.
Melinda
_______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf