The End-To-End Internet (was Re: Blocking MX query)

Jimmy Hess mysidia at
Thu Sep 6 00:28:33 UTC 2012

On 9/4/12, Jay Ashworth <jra at> wrote:
> It is regularly alleged, on this mailing list, that NAT is bad *because it
> violates the end-to-end principle of the Internet*, where each host is a
> full-fledged host, able to connect to any other host to perform
> transactions.
Both true.  and NAT inherently breaks the end-to-end principal for all
the applications.
Blocking port 25 traffic, also breaks the possibility of end-to-end
communications on that one port.

But not for the SMTP protocol.   SMTP End-to-End is preserved,  as
long as the SMTP relay provided does not introduce further

> We see it now alleged that the opposite is true: that a laptop, say, like
> mine, which runs Linux and postfix, and does not require a smarthost to
> deliver mail to a remote server *is a bad actor* *precisely because it does
> that* (in attempting to send mail directly to a domain's MX server) *from
> behind a NAT router*, and possibly different ones at different times.

Ding ding ding... behind a NAT router.   The  End-to-End principal is
already broken.
The 1:many NAT router prevents your host from being specifically
identified, in order to
efficiently and adequately identify,  report, and curtail abuse;  You
can't "break" the end-to-end principal in cases where it has already
been broken.

And selectively breaking end-to-end in limited circumstances is OK.
You choose to break it when the damage can be mitigated and the
concerns that demand breaking it are strong enough.

The end-to-end principal as you suggest primarily pertains to the
Internet protocol;  IP and TCP.  I believe you are trying to apply the
principal in an inappropriate way for the layer you are applying it

At the SMTP application layer  end-to-end internet connectivity  means
 you can send e-mail to any e-mail address and receive e-mail from any
e-mail address.   For HTTP; that would mean  you can retrieve a page
from any host,  and any remote HTTP client,  can retrieve an page from
your hosts;   that doesn't necessarily imply that the transaction will
be allowed,  but  if it is refused --  it is for an administrative
reason,  not due to a design flaw.

NAT would fall under design flaw, because it breaks end-to-end
connectivity, such that there is no longer an administrative choice
that can be made to restore it  (other than redesign with NAT

At the transport layer, end-to-end means you can establish connections
on various ports to any peer on the internet, and any peer can connect
to all ports on which you allow.   It doesn't necessarily mean that
all ports are allowed;  a remote host, or a firewall under their
control, deciding to block your connection is not a violation of

At the internet layer,  end-to-end means you can send any datagram to
any host on the internet it will be delivered to that host; and any
host can send a datagram to you.    It doesn't mean that none of your
packets will be discarded on the way,  because some specific
application or port has been banned.

At the link layer,  there is no end-to-end connectivity;  it is at IP
that  the notion first arises.

> I find these conflicting reports very conflicting.  Either the end-to-end
> principle *is* the Prime Directive... or it is *not*.
> Cheers,
> -- jra
> --
> Jay R. Ashworth                  Baylink
> jra at
> Designer                     The Things I Think                       RFC
> 2100
> Ashworth & Associates         2000 Land Rover
> St Petersburg FL USA               #natog                      +1 727 647
> 1274


More information about the NANOG mailing list