[136771] in North American Network Operators' Group
Re: quietly....
daemon@ATHENA.MIT.EDU (Owen DeLong)
Fri Feb 4 19:29:03 2011
From: Owen DeLong <owen@delong.com>
In-Reply-To: <alpine.BSF.2.00.1102041250570.54349@murf.icantclick.org>
Date: Fri, 4 Feb 2011 16:27:56 -0800
To: david raistrick <drais@icantclick.org>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Feb 4, 2011, at 10:04 AM, david raistrick wrote:
> On Thu, 3 Feb 2011, Owen DeLong wrote:
>=20
>> Er. That's not news. That's been the state of the art for
>> what, 15+ years or so now? SIP (because it's peer to peer) and
>> P2P are really the only things that actually give a damn about
>> it.
>> Largely because we've been living with the tradeoff that we had to =
break the
>> end-to-end model to temporarily compensate for an address shortage. =
Those of
>> us that remember life before NAT would prefer not to bring this =
damage
>> forward into an area of address abundance. In other words, yes, we =
gave up
>=20
>=20
> Life before NAT, and firewalls (with or without SPI) on every PC and =
every CPI, also was life before mass consuption of internet access by =
the "normal" folks. And before extensive cellular and wifi networks =
for internet access. And before many of today's (common end user PC) =
security issues had been discovered.
>=20
>=20
> Firewalls -destroy- the "end to end" model. You don't get inbound =
connectivity past the firewall unless a rule is explicitly created. =
That's no different than NAT requiring specific work to be done.
>=20
No... Firewalls enforce policies on the end-to-end connectivity.
The end-to-end model is not about every host can deliver a packet to =
every other host. That is a misunderstanding of the meaning and =
principle of the end-to-end model.
The end-to-end model is about "If my packet is permitted by policy and =
delivered to the remote host, I expect it to arrive as sent, without =
unexpected modifications."
Mutilating the IP address portion of the header is an unexpected =
modification.
Decrementing the TTL and replacing the MAC address for routing are not =
unexpected modifications.
> Firewalls are not going away, if anything the continuing expansion of =
consumer users will create more and more breakage of the =
open-everything-connects-to-everything model, regardless of what the =
core engineering teams may want.
>=20
Nobody wants to get rid of firewalls. We want to get rid of NAT. =
Firewalls work great without NAT and by having
firewalls without NAT, we gain back the end-to-end model while =
preserving the ability to enforce policy on
end-to-end connectivity.
>=20
> Hell, even without CPE doing it, many residential ISPs (regardless of =
NAT) block inbound traffic to consumers.
>=20
Really? And they have subscribers? Surprising.
>=20
> The end-to-end model ended a long long time ago....maybe it will come =
back, but I rather doubt it.
>=20
Sadly, yes. We gave up the end-to-end model when we accepted NAT as a =
workaround for address
shortage. We did so believing that IPv6 deployment and migration would =
eventually remove this
shortage (which it does) and allow us to restore the end-to-end model.
Now you're suggesting we should abandon that hope? I think not.
>=20
> We'll continue to have users, who run client software, and providers, =
who run server software. And a mix in between, because the user end =
can CHOOSE to enable server functionality (with their feet, by choosing =
a new ISP, at their firewall and or NAT device, and by enabling "server" =
software).
>=20
There is no need for NAT.
>=20
> NAT doesn't destroy end-to-end. It just makes it slightly more =
difficult. But no more difficult that turning on a firewall does.
> It doesn't break anything that isn't trying to "announce" itself - and =
imo, applications that want to "announce" themselves seem like a pretty =
big security hole.
>=20
NAT does destroy end-to-end. Firewalls do not.
Owen
