nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: quietly....

From: Owen DeLong <owen () delong com>
Date: Fri, 4 Feb 2011 16:27:56 -0800

On Feb 4, 2011, at 10:04 AM, david raistrick wrote:


On Thu, 3 Feb 2011, Owen DeLong wrote:


     Er.  That's not news.  That's been the state of the art for
     what, 15+ years or so now?   SIP (because it's peer to peer) and
     P2P are really the only things that actually give a damn about
     it.
Largely because we've been living with the tradeoff that we had to break the
end-to-end model to temporarily compensate for an address shortage. Those of
us that remember life before NAT would prefer not to bring this damage
forward into an area of address abundance. In other words, yes, we gave up



Life before NAT, and firewalls (with or without SPI) on every PC and every CPI, also was life before mass consuption 
of internet access by the "normal" folks.   And before extensive cellular and wifi networks for internet access.   
And before many of today's (common end user PC) security issues had been discovered.


Firewalls -destroy- the "end to end" model.   You don't get inbound connectivity past the firewall unless a rule is 
explicitly created. That's no different than NAT requiring specific work to be done.


No... Firewalls enforce policies on the end-to-end connectivity.

The end-to-end model is not about every host can deliver a packet to every other host. That is a misunderstanding of 
the meaning and principle of the end-to-end model.

The end-to-end model is about "If my packet is permitted by policy and delivered to the remote host, I expect it to 
arrive as sent, without unexpected modifications."

Mutilating the IP address portion of the header is an unexpected modification.
Decrementing the TTL and replacing the MAC address for routing are not unexpected modifications.


Firewalls are not going away, if anything the continuing expansion of consumer users will create more and more 
breakage of the open-everything-connects-to-everything model, regardless of what the core engineering teams may want.


Nobody wants to get rid of firewalls. We want to get rid of NAT. Firewalls work great without NAT and by having
firewalls without NAT, we gain back the end-to-end model while preserving the ability to enforce policy on
end-to-end connectivity.



Hell, even without CPE doing it, many residential ISPs (regardless of NAT) block inbound traffic to consumers.


Really? And they have subscribers? Surprising.



The end-to-end model ended a long long time ago....maybe it will come back, but I rather doubt it.


Sadly, yes. We gave up the end-to-end model when we accepted NAT as a workaround for address
shortage. We did so believing that IPv6 deployment and migration would eventually remove this
shortage (which it does) and allow us to restore the end-to-end model.

Now you're suggesting we should abandon that hope? I think not.



We'll continue to have users, who run client software, and providers, who run server software.   And a mix in 
between, because the user end can CHOOSE to enable server functionality (with their feet, by choosing a new ISP, at 
their firewall and or NAT device, and by enabling "server" software).


There is no need for NAT.



NAT doesn't destroy end-to-end.  It just makes it slightly more difficult. But no more difficult that turning on a 
firewall does.
It doesn't break anything that isn't trying to "announce" itself - and imo, applications that want to "announce" 
themselves seem like a pretty big security hole.


NAT does destroy end-to-end. Firewalls do not.

Owen
Previous By Date Next
Previous By Thread Next

Current thread: