quietly....

Owen DeLong owen at delong.com
Fri Feb 4 18:27:56 CST 2011


On Feb 4, 2011, at 10:04 AM, david raistrick wrote:

> On Thu, 3 Feb 2011, Owen DeLong wrote:
> 
>>      Er.  That's not news.  That's been the state of the art for
>>      what, 15+ years or so now?   SIP (because it's peer to peer) and
>>      P2P are really the only things that actually give a damn about
>>      it.
>> Largely because we've been living with the tradeoff that we had to break the
>> end-to-end model to temporarily compensate for an address shortage. Those of
>> us that remember life before NAT would prefer not to bring this damage
>> forward into an area of address abundance. In other words, yes, we gave up
> 
> 
> Life before NAT, and firewalls (with or without SPI) on every PC and every CPI, also was life before mass consuption of internet access by the "normal" folks.   And before extensive cellular and wifi networks for internet access.   And before many of today's (common end user PC) security issues had been discovered.
> 
> 
> Firewalls -destroy- the "end to end" model.   You don't get inbound connectivity past the firewall unless a rule is explicitly created. That's no different than NAT requiring specific work to be done.
> 
No... Firewalls enforce policies on the end-to-end connectivity.

The end-to-end model is not about every host can deliver a packet to every other host. That is a misunderstanding of the meaning and principle of the end-to-end model.

The end-to-end model is about "If my packet is permitted by policy and delivered to the remote host, I expect it to arrive as sent, without unexpected modifications."

Mutilating the IP address portion of the header is an unexpected modification.
Decrementing the TTL and replacing the MAC address for routing are not unexpected modifications.

> Firewalls are not going away, if anything the continuing expansion of consumer users will create more and more breakage of the open-everything-connects-to-everything model, regardless of what the core engineering teams may want.
> 
Nobody wants to get rid of firewalls. We want to get rid of NAT. Firewalls work great without NAT and by having
firewalls without NAT, we gain back the end-to-end model while preserving the ability to enforce policy on
end-to-end connectivity.

> 
> Hell, even without CPE doing it, many residential ISPs (regardless of NAT) block inbound traffic to consumers.
> 
Really? And they have subscribers? Surprising.

> 
> The end-to-end model ended a long long time ago....maybe it will come back, but I rather doubt it.
> 
Sadly, yes. We gave up the end-to-end model when we accepted NAT as a workaround for address
shortage. We did so believing that IPv6 deployment and migration would eventually remove this
shortage (which it does) and allow us to restore the end-to-end model.

Now you're suggesting we should abandon that hope? I think not.

> 
> We'll continue to have users, who run client software, and providers, who run server software.   And a mix in between, because the user end can CHOOSE to enable server functionality (with their feet, by choosing a new ISP, at their firewall and or NAT device, and by enabling "server" software).
> 
There is no need for NAT.

> 
> NAT doesn't destroy end-to-end.  It just makes it slightly more difficult. But no more difficult that turning on a firewall does.
> It doesn't break anything that isn't trying to "announce" itself - and imo, applications that want to "announce" themselves seem like a pretty big security hole.
> 
NAT does destroy end-to-end. Firewalls do not.

Owen





More information about the NANOG mailing list