The End-To-End Internet (was Re: Blocking MX query)
mysidia at gmail.com
Thu Sep 6 00:28:33 UTC 2012
On 9/4/12, Jay Ashworth <jra at baylink.com> wrote:
> It is regularly alleged, on this mailing list, that NAT is bad *because it
> violates the end-to-end principle of the Internet*, where each host is a
> full-fledged host, able to connect to any other host to perform
Both true. and NAT inherently breaks the end-to-end principal for all
Blocking port 25 traffic, also breaks the possibility of end-to-end
communications on that one port.
But not for the SMTP protocol. SMTP End-to-End is preserved, as
long as the SMTP relay provided does not introduce further
> We see it now alleged that the opposite is true: that a laptop, say, like
> mine, which runs Linux and postfix, and does not require a smarthost to
> deliver mail to a remote server *is a bad actor* *precisely because it does
> that* (in attempting to send mail directly to a domain's MX server) *from
> behind a NAT router*, and possibly different ones at different times.
Ding ding ding... behind a NAT router. The End-to-End principal is
The 1:many NAT router prevents your host from being specifically
identified, in order to
efficiently and adequately identify, report, and curtail abuse; You
can't "break" the end-to-end principal in cases where it has already
And selectively breaking end-to-end in limited circumstances is OK.
You choose to break it when the damage can be mitigated and the
concerns that demand breaking it are strong enough.
The end-to-end principal as you suggest primarily pertains to the
Internet protocol; IP and TCP. I believe you are trying to apply the
principal in an inappropriate way for the layer you are applying it
At the SMTP application layer end-to-end internet connectivity means
you can send e-mail to any e-mail address and receive e-mail from any
e-mail address. For HTTP; that would mean you can retrieve a page
from any host, and any remote HTTP client, can retrieve an page from
your hosts; that doesn't necessarily imply that the transaction will
be allowed, but if it is refused -- it is for an administrative
reason, not due to a design flaw.
NAT would fall under design flaw, because it breaks end-to-end
connectivity, such that there is no longer an administrative choice
that can be made to restore it (other than redesign with NAT
At the transport layer, end-to-end means you can establish connections
on various ports to any peer on the internet, and any peer can connect
to all ports on which you allow. It doesn't necessarily mean that
all ports are allowed; a remote host, or a firewall under their
control, deciding to block your connection is not a violation of
At the internet layer, end-to-end means you can send any datagram to
any host on the internet it will be delivered to that host; and any
host can send a datagram to you. It doesn't mean that none of your
packets will be discarded on the way, because some specific
application or port has been banned.
At the link layer, there is no end-to-end connectivity; it is at IP
that the notion first arises.
> I find these conflicting reports very conflicting. Either the end-to-end
> principle *is* the Prime Directive... or it is *not*.
> -- jra
> Jay R. Ashworth Baylink
> jra at baylink.com
> Designer The Things I Think RFC
> Ashworth & Associates http://baylink.pitas.com 2000 Land Rover
> St Petersburg FL USA #natog +1 727 647
More information about the NANOG