North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: IPv6 news

  • From: Mark Smith
  • Date: Mon Oct 17 17:49:51 2005

On Mon, 17 Oct 2005 07:57:52 -0700
David Meyer <[email protected]> wrote:

> On Sun, Oct 16, 2005 at 01:45:40AM -0700, Tony Li wrote:
> > 
> > >
> > 
> > This is probably the most common misunderstanding of the end-to-end  
> > principle out there.  Someone else can dig up the quote, but  
> > basically, the principle says that the network should not replicate  
> > functionality that the hosts already have to perform.  You have to  
> > look at X.25's hop-by-hop data windows to truly grok this point.
> > 
> > Many people pick this up and twist it into ~the network has to be  
> > application agnostic~ and then use this against NATs or firewalls,  
> > which is simply a misuse of the principle.  Really, this is a  
> > separate principle in and of its own right.  It's not one that I  
> > subscribe to, but that's a different conversation...
> 	Maybe its time to pull out some of Noel's work on both
> 	topics. Reasonable introductions to both the e2e
> 	principle and locator/id split topics can be found on 
> and

Tony is right, thinking about it a bit more, I've mixed the two
together. I first came across the end-to-end argument (the "X.25"
example) in "Routing In the Internet". The other stuff (as well as e2e)
was in RFC1958, "Architectural Principles of the Internet", and a few
other places.

I see value in getting rid of NAT and firewalls (protecting host based
functions) out of the network because I've been burned by NAT on a few
occasions (due to its stateful nature, due to its lack of application
protocol support, due to its complexity when public address space would
have been a simpler and cheaper solution), and with hosts starting to
have multiple interfaces i.e. wired and wireless, it makes sense to me
that firewalling on the host itself is a better way to protect them,
rather than relying on a network topology located firewall that only
protects against attacks coming upstream from the firewall. We've
already pretty much evolved to the host based firewalling model anyway,
with all major desktop/server OSes coming out of the box already with
one. I think the major component missing is scalable policy deployment,
although I've been told that they are being developed as well.

I'm practical about NATs and network-located firewalls though, and
although I don't necessarily like doing it much, will suggest the
"conventional" NAT/firewall models/solutions when necessary.



        The Internet's nature is peer to peer.