On Tue, 10 Nov 1998, Phil Howard wrote: [...]
Our customers are also becoming more security conscious. That doesn't mean they want to run their own firewall; they still want us to do so. But it does mean they are well prepared, and in our experience very happy, to keep the Internet at "arms length" in the office. [...]
So maybe there's a business model for centralized security management (like TabNet and Hiway and Critical Path, but for outsourcing security management)? Centralized service agency places a firewall at the ISP, and via encrypted, authenticated configuration session is able to update the firewall for each customer, so the customer/ISP/integrator has the ability to update the firewall through a Web interface, rather than having to go through the ISP. Just thinking... [...]
Perhaps a better solution is a distributed SWIP database. Perhaps a SWIP record can be added to DNS to indicate the name of the server to query for detail information by network. It would then co-exist along side the PTR records. Appropriate SWIP lookup clients would resolve for SWIP data in the in-addr.arpa space and then query that server (or servers) for the real data about the network in question.
How about using reverse DNS on the network number (which normally wouldn't have reverse DNS), and having it point at the distributed SWIP server? The query is going to be on the network number anyways, and either ARIN or the (r)whois client could do the redirection. There might have to be some kind of authentication/verification prior to the redirection, but that'd be much simpler than servicing the query. I think this would even work down to the /30 level. Similar to how Cisco's show the break-down on a subnetted /24, where the query on the /24 would show both the ownership of the /24 and the break-down of the subnets, and subsequent queries could be done on the subnets. There's probably a business model for outsourcing services for distributed SWIP, too. ;) Pete.