Ken, I appreciated your posting but I surmise that what we may have here is a divergence in world views. I suspect that many readers of your and Eliot's postings view the current Internet topology as consisting of autonomous systems linked to the Internet via BGP connections and perimeter-defense firewalls. People with this world view probably believe that the management station is always on the same side of the firewall as the managed devices. However, you and I have a different perspective in which the concept of "corporate perimeter" has been modified, such that there are potentially many diverse local reasons why a single policy zone may need to manage devices across firewalls. Specifically, large end users often have business relationships that cause our perimeter defense system to become "porous". For perhaps the past seven years it has no longer been the case that all of the network resources for many Fortune 100 companies have been inside their firewalls. I am not talking about the "mobile user" who, on business trips, for example, may need to access corporate resources through Radius servers. I am rather talking about enduring business relationships that cause corporations to "open up" their perimeters to other entities for specific business reasons, including possibly defining joint deployments together or establishing "islands" of one corporation within the networks of another. In addition, it is not unknown for some intra-corporate entity to conclude that their activities are "too important" or "too sensitive" to trust other corporate entities such that they deploy firewalls internally within the corporation itself. If there is an incongruence between management responsibilities and firewall placement, a subset of devices will be managed across firewalls. Such is life in the subset of the real world with which I am familiar. --Eric >Ignoring these relegates any solution to >theoretical situations or very small in- >home or in-group solutions. Then someone else will have to figure >out some way to manage anything larger scale, which will be able to >also handle small scale and so will overwhelm the non-firewalling, >non-NAT-ing designs. But only after such a relatively impotent >design confuses the world by adding yet one more standard to chose from. _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf