Phil,
...
Boy are you in for a shock when you try to connect to an ethernet with
802.1x.
I have yet to do so. I do have the facility on my Mac, but I've never
had to turn it on.
Authentication is being built into the NIC cards. At some point in the
future it will not be possible for any device to connect to an Intranet
without first authenticating itself.
It could happen, but then too it might not.
And it will all have to be 100% transparent to the user.
only when it works :-)
> if folks rely on such distributed enforcement, they will get
what they deserve.
You are behind the times, single point of failure approaches to security
are out.
layered defenses are a good notion, but mostly when the layers are
under the same administrative control. all too often people forget
that relying on the security provided by someone else is a risky
proposition, as in your example of ISPs providing ingress filtering.
What people are looking to do is to contain attacks from within their
networks. Most large companies now have networks that are large enough
for what is inside the firewall to be at least as worrying as what is
outside.
fair statement
why not just propose rigorous enforcement of setting the evil bit by
all network attachment devices, etc?
Sarcasm is not a particularly useful mode of debate, particularly when
you are defending a dogma that has little practical success to recommend
it.
If it weren't a good analogy I don't think I would have received so
many private responses congratulating me for it :-)
Steve
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf