North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: IPv6 news
On Mon, 17 Oct 2005 07:57:52 -0700 David Meyer <[email protected]> wrote: > On Sun, Oct 16, 2005 at 01:45:40AM -0700, Tony Li wrote: > > > > > <snip> > > > > This is probably the most common misunderstanding of the end-to-end > > principle out there. Someone else can dig up the quote, but > > basically, the principle says that the network should not replicate > > functionality that the hosts already have to perform. You have to > > look at X.25's hop-by-hop data windows to truly grok this point. > > > > Many people pick this up and twist it into ~the network has to be > > application agnostic~ and then use this against NATs or firewalls, > > which is simply a misuse of the principle. Really, this is a > > separate principle in and of its own right. It's not one that I > > subscribe to, but that's a different conversation... > > Maybe its time to pull out some of Noel's work on both > topics. Reasonable introductions to both the e2e > principle and locator/id split topics can be found on > > http://users.exis.net/~jnc/tech/end_end.html and > http://users.exis.net/~jnc/tech/endpoints.txt > Tony is right, thinking about it a bit more, I've mixed the two together. I first came across the end-to-end argument (the "X.25" example) in "Routing In the Internet". The other stuff (as well as e2e) was in RFC1958, "Architectural Principles of the Internet", and a few other places. I see value in getting rid of NAT and firewalls (protecting host based functions) out of the network because I've been burned by NAT on a few occasions (due to its stateful nature, due to its lack of application protocol support, due to its complexity when public address space would have been a simpler and cheaper solution), and with hosts starting to have multiple interfaces i.e. wired and wireless, it makes sense to me that firewalling on the host itself is a better way to protect them, rather than relying on a network topology located firewall that only protects against attacks coming upstream from the firewall. We've already pretty much evolved to the host based firewalling model anyway, with all major desktop/server OSes coming out of the box already with one. I think the major component missing is scalable policy deployment, although I've been told that they are being developed as well. I'm practical about NATs and network-located firewalls though, and although I don't necessarily like doing it much, will suggest the "conventional" NAT/firewall models/solutions when necessary. Regards, Mark. -- The Internet's nature is peer to peer.
|