IPv6 news
Mark Smith
random at 72616e646f6d20323030342d30342d31360a.nosense.org
Mon Oct 17 21:45:13 UTC 2005
On Mon, 17 Oct 2005 07:57:52 -0700
David Meyer <dmm at 1-4-5.net> wrote:
> On Sun, Oct 16, 2005 at 01:45:40AM -0700, Tony Li wrote:
> >
> > >
<snip>
> >
> > This is probably the most common misunderstanding of the end-to-end
> > principle out there. Someone else can dig up the quote, but
> > basically, the principle says that the network should not replicate
> > functionality that the hosts already have to perform. You have to
> > look at X.25's hop-by-hop data windows to truly grok this point.
> >
> > Many people pick this up and twist it into ~the network has to be
> > application agnostic~ and then use this against NATs or firewalls,
> > which is simply a misuse of the principle. Really, this is a
> > separate principle in and of its own right. It's not one that I
> > subscribe to, but that's a different conversation...
>
> Maybe its time to pull out some of Noel's work on both
> topics. Reasonable introductions to both the e2e
> principle and locator/id split topics can be found on
>
> http://users.exis.net/~jnc/tech/end_end.html and
> http://users.exis.net/~jnc/tech/endpoints.txt
>
Tony is right, thinking about it a bit more, I've mixed the two
together. I first came across the end-to-end argument (the "X.25"
example) in "Routing In the Internet". The other stuff (as well as e2e)
was in RFC1958, "Architectural Principles of the Internet", and a few
other places.
I see value in getting rid of NAT and firewalls (protecting host based
functions) out of the network because I've been burned by NAT on a few
occasions (due to its stateful nature, due to its lack of application
protocol support, due to its complexity when public address space would
have been a simpler and cheaper solution), and with hosts starting to
have multiple interfaces i.e. wired and wireless, it makes sense to me
that firewalling on the host itself is a better way to protect them,
rather than relying on a network topology located firewall that only
protects against attacks coming upstream from the firewall. We've
already pretty much evolved to the host based firewalling model anyway,
with all major desktop/server OSes coming out of the box already with
one. I think the major component missing is scalable policy deployment,
although I've been told that they are being developed as well.
I'm practical about NATs and network-located firewalls though, and
although I don't necessarily like doing it much, will suggest the
"conventional" NAT/firewall models/solutions when necessary.
Regards,
Mark.
--
The Internet's nature is peer to peer.
More information about the NANOG
mailing list