marka at isc.org
Fri Feb 4 15:54:30 CST 2011
In message <alpine.BSF.2.00.1102041250570.54349 at murf.icantclick.org>, david rai
> On Thu, 3 Feb 2011, Owen DeLong wrote:
> > Er. That's not news. That's been the state of the art for
> > what, 15+ years or so now? SIP (because it's peer to peer) and
> > P2P are really the only things that actually give a damn about
> > it.
> > Largely because we've been living with the tradeoff that we had to break th
> > end-to-end model to temporarily compensate for an address shortage. Those o
> > us that remember life before NAT would prefer not to bring this damage
> > forward into an area of address abundance. In other words, yes, we gave up
> Life before NAT, and firewalls (with or without SPI) on every PC and every
> CPI, also was life before mass consuption of internet access by the
> "normal" folks. And before extensive cellular and wifi networks for
> internet access. And before many of today's (common end user PC)
> security issues had been discovered.
> Firewalls -destroy- the "end to end" model. You don't get inbound
> connectivity past the firewall unless a rule is explicitly created.
> That's no different than NAT requiring specific work to be done.
No, they don't. "end to end" is about knowing how to reach everybody
whether that is permitted or not.
> Firewalls are not going away, if anything the continuing expansion of
> consumer users will create more and more breakage of the
> open-everything-connects-to-everything model, regardless of what the core
> engineering teams may want.
While it may be the default it should also be able to be turned
off. CPE devices are not just uses at the edges of networks. The
same boxes are used inside networks.
> Hell, even without CPE doing it, many residential ISPs (regardless of NAT)
> block inbound traffic to consumers.
Some ISP's do lots of stupid things.
> The end-to-end model ended a long long time ago....maybe it will come
> back, but I rather doubt it.
> We'll continue to have users, who run client software, and providers, who
> run server software. And a mix in between, because the user end can
> CHOOSE to enable server functionality (with their feet, by choosing a new
> ISP, at their firewall and or NAT device, and by enabling "server"
> NAT doesn't destroy end-to-end. It just makes it slightly more difficult.
> But no more difficult that turning on a firewall does.
Actually its a lot more difficult.
> It doesn't break anything that isn't trying to "announce" itself - and
> imo, applications that want to "announce" themselves seem like a
> pretty big security hole.
Web browsers are much bigger security holes running arbitry code
because some web page developer thought it would look nice. Most
servers are written assuming the input stream is hostile.
I run machines all the time that don't have firewall to protect
them from the big wide world out there. I suspect we all do. Your
not behind a external firewall when you are at NANOG or IETF.
Everyone doesn't suddenly get "owned" because there isn't a external
firewall. Modern OS's default to secure.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the NANOG