Path: utzoo!utgpu!water!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!cs.utexas.edu!rutgers!bpa!cbmvax!vu-vlsi!dsinc!lgnp1!vskahan
From: vskahan@lgnp1.MASA.COM (Vince Skahan)
Newsgroups: comp.sys.apollo
Subject: apollo "native ethernet" is too good ???
Message-ID: <14@lgnp1.MASA.COM>
Date: 20 Oct 88 03:32:18 GMT
Organization: Lagniappe Systems, Norristown, PA
Lines: 59

[...not necessarily "flame on" but certainly "bitch on"...]

We have about 12 subnets hanging off of the same ethernet (at work) and
10 of these are Apollo rings.  Each ring has a gateway (or 2) for TCP/IP
and "native apollo" communications so each node can talk to any other
node.

As we add rings to new organizations, we have a few problems that
occur...

 - apollo says use one master registry but we have very different
organizations with very different ideas and needs for security.
This leads to the need to use more than one master registry.

- the "canned SIDs" for administrators and system accounts/ppo's results
in a sys_admin in one registry having the same priv's in other registry
rings (internets), making everyone everywhere open to problems created
by well-meaning but rookie admin's (and hypothetically
not-so-well-meaning folks).

- there is an inherent trade-off between the idea of transparent access
from all nodes in all rings to one another and the real world problems
of different organizations on the same ethernet who need access to
common Vaxes (with TCP/IP and/or access) but want to protect the heck
out of everything to keep *their* system under reasonable control.

My questions go like this:
	- Why can't there be more than one master registry in an
internet?  This will prevent the dozens of non-privileged users from
each other (I'm assuming that the admins all talk and that they all
understand that they can inadvertently affect other rings).

	- For native ring-ring communications, you might be able to have
the common ethernet be more than one *logical* apollo internet

(organization A has 2 rings that think the ethernet is 28EEE and
organization B's 3 rings think the ethernet has a different internet
ID).

Is this reasonable??? The only thing that this doesn;t have is
organization-organization transparent file transfer (other than ftp).

	- mail can be handled by creating gateways for SMTP between the
organizations or rings (everyone uses the SAME subnet for the ethernet
using TCP)...is this also OK??


I guess the real problem is that the Apollo networks are SO transparent,
it's a bit tough to lock other rings out for valid real-world reasons. 
If you're in a 300 or so node network that comprises 10 organizations,
you should be able to set things up so there can be local control of
their areas and not require "company-standards".

Feel free to e-mail how you're set up if you've come up with a solution
to these problems...any ideas will be appreciated.

-- 
				Vince Skahan
	UUCP: lgnp1!vskahan			Internet: skahan@boeing.com