quietly....

Lee Howard lee at asgard.org
Sun Feb 6 14:16:35 UTC 2011


> The end-to-end model is about "If my packet is permitted by policy and
delivered to the
> remote host, I expect it to arrive as sent, without unexpected
modifications."

Well, it's about communications integrity being the responsibility of the
endpoint.  It
is therefore expected that the network not mess with the communication.
See http://web.mit.edu/Saltzer/www/publications/endtoend/endtoend.pdf

> Nobody wants to get rid of firewalls. 

Several people want to get rid of firewalls.  Consistent with the end-to-end
principle, hosts should provide their own policy enforcement.  See expired 
draft-vyncke-advanced-ipv6-security-01

Unfortunately, the approach described doesn't work in state-of-the-art
residential
CPE, and relies heavily on endpoint security protection, which is weak in
most
Internet hosts.   

> We want to get rid of NAT. Firewalls work great
> without NAT and by having
> firewalls without NAT, we gain back the end-to-end model while preserving
the ability to
> enforce policy on end-to-end connectivity.

I would rather see hosts protect themselves from badness, and network
security
appliances be limited to protecting against network threats (a DDOS is a
network
threat; a service DOS is an application threat).

> > NAT doesn't destroy end-to-end.  It just makes it slightly more
difficult. But no more
> > difficult that turning on a firewall does.
> > It doesn't break anything that isn't trying to "announce" itself - and
imo, applications that
> > want to "announce" themselves seem like a pretty big security hole.

Service discovery is an Internet weakness.

> NAT does destroy end-to-end. Firewalls do not.

Firewalls merely constrict it.  Not that I advocate against the use of
firewalls;
in fact, I think I'm agreeing with you, and extending the argument a little
further,
that we should move from NAT to firewalls, then from stateful firewalls to
secure hosts and network security appliances.

Lee






More information about the NANOG mailing list