Fleischman, Eric allegedly wrote on 07/23/2009 6:12 PM: > This observation is hopefully obvious but what excites me is what it > means to ancillary requirements such as security and network management. > As you may know, I've been keen for about a decade on the concept of > "security zones" in which one can have unique policies for parts of a > routing infrastructure to handle unique requirements of a community of > interest. I therefore consider the various insights of the RRG postings > to see their implications to this type of goal, which is why I felt the > need to mention something which to others is hopefully obvious. > Specifically, security zones theoretically can be made by routing policy > at the IP layer (e.g., policy-based routing) but I am currently > discouraged at how this works, except for VPNs and map-and-encaps, which > really are parallel (complementary) routing systems. Therefore, I am > currently trying to do this at the "IPsec layer" or above.
It would seem to me that this depends on the what you need to secure. If you don't want the world to know your IP addresses then you hide them. If topology, hide routing and addressing. If you don't care about those but just higher layer objects, you hide them instead, and so on. > I am curious > whether LISP, for example, could be used to support security zones but I > haven't pursued that idea myself. I wonder if others have? Sure. Scott _______________________________________________ rrg mailing list [email protected] http://www.irtf.org/mailman/listinfo/rrg
