>>>>> "Fernando" == Fernando Gont <fernando@xxxxxxxxxxx> writes: >> For instance, a reason to create a new network "zone" is because we >> don't provide printers with decent access control lists (authorization), >> instead, we make them wide open and then throw WPA on the wireless so >> that it's "secure", and then assume if you've authenticated, you are >> authorized to print. >> IPv6 would make that a new subnet, no additional layer of NAT, and do >> the authorization by IP address. Fernando> Huh? Why would one authorize access to a printer on a per-address basis? Fernando> Why should every user on the same computer have the same access rights Fernando> to the printer? -- This is probably a hint that, even if deployable, Fernando> IPsec may not be want you need/want. Right now, everyone who knows the WPA2 key for the network can print. I agree that the printer needs finer grained access controls. IPsec, the specification, btw, has them, but they are not widely implemented, and there has been no interest in the community towards any kind of standard API for applications to be able to communicate with the IPsec service about that. -- ] He who is tired of Weird Al is tired of life! | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr@xxxxxxxxxxxxxxxxxxxxxx http://www.sandelman.ottawa.on.ca/ |device driver[ Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE> then sign the petition. _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf