nanog mailing list archives

Re: quietly....

From: david raistrick <drais () icantclick org>
Date: Fri, 4 Feb 2011 13:04:00 -0500 (EST)

On Thu, 3 Feb 2011, Owen DeLong wrote:

      Er.  That's not news.  That's been the state of the art for
      what, 15+ years or so now?   SIP (because it's peer to peer) and
      P2P are really the only things that actually give a damn about
      it.

Largely because we've been living with the tradeoff that we had to break the
end-to-end model to temporarily compensate for an address shortage. Those of
us that remember life before NAT would prefer not to bring this damage
forward into an area of address abundance. In other words, yes, we gave up

Life before NAT, and firewalls (with or without SPI) on every PC and everyCPI, also was life before mass consuption of internet access by the"normal" folks. And before extensive cellular and wifi networks forinternet access. And before many of today's (common end user PC)security issues had been discovered.

Firewalls -destroy- the "end to end" model. You don't get inboundconnectivity past the firewall unless a rule is explicitly created.That's no different than NAT requiring specific work to be done.

Firewalls are not going away, if anything the continuing expansion ofconsumer users will create more and more breakage of theopen-everything-connects-to-everything model, regardless of what the coreengineering teams may want.

Hell, even without CPE doing it, many residential ISPs (regardless of NAT)block inbound traffic to consumers.

The end-to-end model ended a long long time ago....maybe it will comeback, but I rather doubt it.

We'll continue to have users, who run client software, and providers, whorun server software. And a mix in between, because the user end canCHOOSE to enable server functionality (with their feet, by choosing a newISP, at their firewall and or NAT device, and by enabling "server"software).

NAT doesn't destroy end-to-end. It just makes it slightly more difficult.But no more difficult that turning on a firewall does.It doesn't break anything that isn't trying to "announce" itself - andimo, applications that want to "announce" themselves seem like apretty big security hole.




--
david raistrick        http://www.netmeister.org/news/learn2quote.html
drais () icantclick org             http://www.expita.com/nomime.html

Current thread:

Re: quietly...., (continued)
- - - Re: quietly.... Joe Greco (Feb 03)
    - Re: quietly.... Jack Bates (Feb 03)
    - Re: quietly.... Mark Andrews (Feb 03)
    - Re: quietly.... Jack Bates (Feb 03)
    - Re: quietly.... Mark Andrews (Feb 03)
    - Re: quietly.... Jack Bates (Feb 03)
    - Re: quietly.... Mark Andrews (Feb 03)
    - RE: quietly.... Matthew Huff (Feb 03)
    - Re: quietly.... david raistrick (Feb 03)
    - Re: quietly.... Owen DeLong (Feb 03)
    - Re: quietly.... david raistrick (Feb 04)
    - Re: quietly.... Mark Andrews (Feb 04)
    - Re: quietly.... david raistrick (Feb 04)
    - Re: quietly.... R A Lichtensteiger (Feb 04)
    - Re: quietly.... Joel Jaeggli (Feb 04)
    - Re: quietly.... Owen DeLong (Feb 04)
    - Re: quietly.... Jack Bates (Feb 04)
    - Re: quietly.... Owen DeLong (Feb 04)
    - Re: quietly.... Jack Bates (Feb 04)
    - RE: quietly.... George Bonser (Feb 04)
    - Re: quietly.... Jack Bates (Feb 04)

(Thread continues...)