[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Michael Richardson: middle boxes vs security



In his/her message, Michael Richardson wrote:

>  It is interesting that the inability to deploy security due to presence of
>middle boxes, such as security gateways, has prevented deployment of voice
>services.

     I do not understand.

     In draft-lear-middlebox-arch-01.txt, a middle box can be a NAT box or a
 firewall. I think this is a mistake to think you can caracterize some
 network devices as middle boxes this way, and others network devices
 not being middle boxes.
     Any switch-router is always able to do NAT, and always have firewalling
 capabilities like IP filtering. In most case the usage of IP access-lists
 if not only for access-control, but also routing, QoS, VLANs, etc.
     So, in the real world, all IP network devices are middle boxes with
 such a definition. I think we should reserve middle box definition for
 boxes working at the application layer like boxes between WAP and HTTP.

     What is you definition of the middle box ?

     Why security gateways (id a network device building IPsec tunnels)
 has prevented deployment of voice services ?

     Regards,

         HERVE