On Mon, 17 Oct 2005 07:57:52 -0700 David Meyer <dmm@1-4-5.net> wrote:
On Sun, Oct 16, 2005 at 01:45:40AM -0700, Tony Li wrote:
<snip>
This is probably the most common misunderstanding of the end-to-end principle out there. Someone else can dig up the quote, but basically, the principle says that the network should not replicate functionality that the hosts already have to perform. You have to look at X.25's hop-by-hop data windows to truly grok this point.
Many people pick this up and twist it into ~the network has to be application agnostic~ and then use this against NATs or firewalls, which is simply a misuse of the principle. Really, this is a separate principle in and of its own right. It's not one that I subscribe to, but that's a different conversation...
Maybe its time to pull out some of Noel's work on both topics. Reasonable introductions to both the e2e principle and locator/id split topics can be found on
http://users.exis.net/~jnc/tech/end_end.html and http://users.exis.net/~jnc/tech/endpoints.txt
Tony is right, thinking about it a bit more, I've mixed the two together. I first came across the end-to-end argument (the "X.25" example) in "Routing In the Internet". The other stuff (as well as e2e) was in RFC1958, "Architectural Principles of the Internet", and a few other places. I see value in getting rid of NAT and firewalls (protecting host based functions) out of the network because I've been burned by NAT on a few occasions (due to its stateful nature, due to its lack of application protocol support, due to its complexity when public address space would have been a simpler and cheaper solution), and with hosts starting to have multiple interfaces i.e. wired and wireless, it makes sense to me that firewalling on the host itself is a better way to protect them, rather than relying on a network topology located firewall that only protects against attacks coming upstream from the firewall. We've already pretty much evolved to the host based firewalling model anyway, with all major desktop/server OSes coming out of the box already with one. I think the major component missing is scalable policy deployment, although I've been told that they are being developed as well. I'm practical about NATs and network-located firewalls though, and although I don't necessarily like doing it much, will suggest the "conventional" NAT/firewall models/solutions when necessary. Regards, Mark. -- The Internet's nature is peer to peer.