quietly....

david raistrick drais at icantclick.org
Fri Feb 4 18:04:00 UTC 2011 

On Thu, 3 Feb 2011, Owen DeLong wrote:

>       Er.  That's not news.  That's been the state of the art for
>       what, 15+ years or so now?   SIP (because it's peer to peer) and
>       P2P are really the only things that actually give a damn about
>       it.
> 
> Largely because we've been living with the tradeoff that we had to break the
> end-to-end model to temporarily compensate for an address shortage. Those of
> us that remember life before NAT would prefer not to bring this damage
> forward into an area of address abundance. In other words, yes, we gave up


Life before NAT, and firewalls (with or without SPI) on every PC and every 
CPI, also was life before mass consuption of internet access by the 
"normal" folks.   And before extensive cellular and wifi networks for 
internet access.   And before many of today's (common end user PC) 
security issues had been discovered.


Firewalls -destroy- the "end to end" model.   You don't get inbound 
connectivity past the firewall unless a rule is explicitly created. 
That's no different than NAT requiring specific work to be done.

Firewalls are not going away, if anything the continuing expansion of 
consumer users will create more and more breakage of the 
open-everything-connects-to-everything model, regardless of what the core 
engineering teams may want.


Hell, even without CPE doing it, many residential ISPs (regardless of NAT) 
block inbound traffic to consumers.


The end-to-end model ended a long long time ago....maybe it will come 
back, but I rather doubt it.


We'll continue to have users, who run client software, and providers, who 
run server software.   And a mix in between, because the user end can 
CHOOSE to enable server functionality (with their feet, by choosing a new 
ISP, at their firewall and or NAT device, and by enabling "server" 
software).


NAT doesn't destroy end-to-end.  It just makes it slightly more difficult. 
But no more difficult that turning on a firewall does.
It doesn't break anything that isn't trying to "announce" itself - and 
imo, applications that want to "announce" themselves seem like a 
pretty big security hole.



--
david raistrick        http://www.netmeister.org/news/learn2quote.html
drais at icantclick.org             http://www.expita.com/nomime.html

More information about the NANOG mailing list