That is pretty much it The one additional point being that we all take a realistic view of what people out there will actually pay for and what they will actually use. I can manage get people to pay for security. Getting them to then use the security they have paid for is a much harder problem. How many of us have installed S/MIME or PGP, how many people use them? The reason I am raising these issues is not to be defeatist. I think that we can solve these problems but only if we are prepared to build a solution around the one problem that every CIO has to take notice of - the cost of administration. I don't mean one of those marketecture TCO type jobs either where someone spends $100K to save $300K in hypothetical costs. I mean a system where the incremental costs are no more than $0.25 per device and the savings are clearly two orders of magnitude greater than the costs. There is a large consortium of bit IT customers calling itself Jericho Forum that is talking about deperimeterization and the need for a new network architecture. So far they have not really found one but when they do they have the power to make every vendor sit up and take notice as they are going to write a requirement to support their architecture into every RFP they issue. They want security and they understand that cost of administration is a major issue they need to control. It would be to everyone's advantage if the architecture they decide on also makes a transition to IPv6 easy and painless. > From: David Morris [mailto:dwm@xxxxxxxxx] > As the administrator of several small networks, it is quite > simple. By re-writing the address, the NAT is a defacto > default deny. I have a lot more trust in the simplicity of a > basic NAT in a consumer firewall then I do in any firewall > which has to examine each packet for conformance to complex > policy rules. > > But, this misses the point I see in Phillips discussion... I > read his ultimate proposal as: > a. Stop bashing NAT, it provides value in the current network and > has prevented a total meltdown which would have happened if every > early OS were directly attached to the internet > b. REPLACE NAT with a default deny infrastructure ... more than > just a single FW choke point. > > On Mon, 2 Jul 2007, Melinda Shore wrote: > > > On 7/2/07 11:14 AM, "Hallam-Baker, Phillip" > <pbaker@xxxxxxxxxxxx> wrote: > > > There is no other device that can provide me with a lightweight > > > firewall for $50. > > > > Of course there is - the same device that's providing the NAT. > > > > NAT by itself is intrinsically policy-free, although it implements > > policy as a side-effect. I'm unclear on why you think that a > > default-deny policy is better implemented on a NAT than on > a firewall. > > _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf