[85812] in North American Network Operators' Group
Re: IPv6 news
daemon@ATHENA.MIT.EDU (Mark Smith)
Mon Oct 17 17:48:57 2005
Date: Tue, 18 Oct 2005 07:15:13 +0930
From: Mark Smith <random@72616e646f6d20323030342d30342d31360a.nosense.org>
To: tony.li@tony.li, David Meyer <dmm@1-4-5.net>
Cc: nanog@merit.edu
In-Reply-To: <20051017145752.GA29105@1-4-5.net>
Errors-To: owner-nanog@merit.edu
On Mon, 17 Oct 2005 07:57:52 -0700
David Meyer <dmm@1-4-5.net> wrote:
> On Sun, Oct 16, 2005 at 01:45:40AM -0700, Tony Li wrote:
> >
> > >
<snip>
> >
> > This is probably the most common misunderstanding of the end-to-end
> > principle out there. Someone else can dig up the quote, but
> > basically, the principle says that the network should not replicate
> > functionality that the hosts already have to perform. You have to
> > look at X.25's hop-by-hop data windows to truly grok this point.
> >
> > Many people pick this up and twist it into ~the network has to be
> > application agnostic~ and then use this against NATs or firewalls,
> > which is simply a misuse of the principle. Really, this is a
> > separate principle in and of its own right. It's not one that I
> > subscribe to, but that's a different conversation...
>
> Maybe its time to pull out some of Noel's work on both
> topics. Reasonable introductions to both the e2e
> principle and locator/id split topics can be found on
>
> http://users.exis.net/~jnc/tech/end_end.html and
> http://users.exis.net/~jnc/tech/endpoints.txt
>
Tony is right, thinking about it a bit more, I've mixed the two
together. I first came across the end-to-end argument (the "X.25"
example) in "Routing In the Internet". The other stuff (as well as e2e)
was in RFC1958, "Architectural Principles of the Internet", and a few
other places.
I see value in getting rid of NAT and firewalls (protecting host based
functions) out of the network because I've been burned by NAT on a few
occasions (due to its stateful nature, due to its lack of application
protocol support, due to its complexity when public address space would
have been a simpler and cheaper solution), and with hosts starting to
have multiple interfaces i.e. wired and wireless, it makes sense to me
that firewalling on the host itself is a better way to protect them,
rather than relying on a network topology located firewall that only
protects against attacks coming upstream from the firewall. We've
already pretty much evolved to the host based firewalling model anyway,
with all major desktop/server OSes coming out of the box already with
one. I think the major component missing is scalable policy deployment,
although I've been told that they are being developed as well.
I'm practical about NATs and network-located firewalls though, and
although I don't necessarily like doing it much, will suggest the
"conventional" NAT/firewall models/solutions when necessary.
Regards,
Mark.
--
The Internet's nature is peer to peer.
