RE: [arin-announce] IPv4 Address Space (fwd)
On Tue, 28 Oct 2003, Kuhtz, Christian wrote:
Excuse my rambling and what some may consider heresy even :), but..
One question to ask is whether IPv6's approach is the right one, furthering a particular way of doing things rather than really reinventing itself. Do I really need global awareness of address space? Why isn't address space a tool, services is what you're really after, and why not build an
those who do not understand end-to-end are doomed to reimplement it, poorly.
End-to-end requires that people writing the software at the end learn about buffer overruns (and other data-driven access violations) or program using tools that prevent such things. It is otherwise an excellent idea. Unfortunately, the day that someone decided their poorly-designed machine and operating system would be safer sitting behind a "firewall" pretty much marked the end of universal end-to-end connectivity, and I don't see it coming back for a long long time. Probably not on this Internet. IPv6 or not. Combine that with ISP pricing models (helped by registry policy) that encourage <=1 IP address per household, and the subsequent boom in NAT boxes, and the fate is probably sealed. Matthew Kaufman matthew@eeph.com
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Greg Maxwell
those who do not understand end-to-end are doomed to reimplement it, poorly.
On Tue, 28 Oct 2003, Matthew Kaufman wrote:
End-to-end requires that people writing the software at the end learn about buffer overruns (and other data-driven access violations) or program using tools that prevent such things. It is otherwise an excellent idea.
A lack of end-to-end just obscures the problem, it does not remove it. Host based firewalling or tcpwrapper style approaches address this point just as well, if not much better. At least if systems shipped with them defaulting to DENY.
Unfortunately, the day that someone decided their poorly-designed machine and operating system would be safer sitting behind a "firewall" pretty much marked the end of universal end-to-end connectivity, and I don't see it coming back for a long long time. Probably not on this Internet. IPv6 or not.
Unfortunate exceptions to the correct design methodology are not an acceptable reason to ignore the correct solution. Most NAT workaround methods currently used by applications fail horribly when both endpoints are behind a NAT, so we are only beginning to feel the initial impact of our reality of slightly broken end-to-end. Imagine an internet that never had end-to-end as a goal... where 'circuits' had to be manually provisioned across multiple carriers networks... where address translation happens at every intra-agency link. Oh wait, we call that the public switched telephone network... and I'm sure we're all already well aware of the amount of innovation that infrastructure affords us, and it's highly economic pricing model as well! I think it's amusing that I see the largest arguments against end-to-end coming from people who ran the networks that the end-to-end internet made largely obsolete.
Combine that with ISP pricing models (helped by registry policy) that encourage <=1 IP address per household, and the subsequent boom in NAT boxes, and the fate is probably sealed.
ISPs simply respond to demand. We're all market whores on this list. Where there is a competitive advantage to offer multiple IPs per customer the ISPs will provide it: we already see this in highly competitive markets. Providing many IPs per household requires no major change to infrastructure, it's simply a policy decision.
Matthew Kaufman wrote:
End-to-end requires that people writing the software at the end learn about buffer overruns (and other data-driven access violations) or program using tools that prevent such things. It is otherwise an excellent idea.
There is supposedly some magic going into this in the next "Service Pack" of a mentioned major exploding Pinto. Not sure if it´s just flipping the joke of firewall on by default or something more comprehensive/destructive like non-executable stack. Or a completely new invention like bug free code :-)
Unfortunately, the day that someone decided their poorly-designed machine and operating system would be safer sitting behind a "firewall" pretty much marked the end of universal end-to-end connectivity, and I don't see it coming back for a long long time. Probably not on this Internet. IPv6 or not.
Last I checked most "firewall"s don´t make these machines safe, it might make them safer, so only two out of three malwares hit them. Does not really help too much.
Combine that with ISP pricing models (helped by registry policy) that encourage <=1 IP address per household, and the subsequent boom in NAT boxes, and the fate is probably sealed.
Here I´ve observed opposite trend, most ISP´s are getting rid of NATting because it´s failure prone and expensive to implement and keep running. Pete
I think if program design criterion would change, to coding secure applications then the problem would be reduced dramatically -Henry Petri Helenius <pete@he.iki.fi> wrote: Matthew Kaufman wrote:
End-to-end requires that people writing the software at the end learn about buffer overruns (and other data-driven access violations) or program using tools that prevent such things. It is otherwise an excellent idea.
There is supposedly some magic going into this in the next "Service Pack" of a mentioned major exploding Pinto. Not sure if it�s just flipping the joke of firewall on by default or something more comprehensive/destructive like non-executable stack. Or a completely new invention like bug free code :-)
Unfortunately, the day that someone decided their poorly-designed machine and operating system would be safer sitting behind a "firewall" pretty much marked the end of universal end-to-end connectivity, and I don't see it coming back for a long long time. Probably not on this Internet. IPv6 or not.
Last I checked most "firewall"s don�t make these machines safe, it might make them safer, so only two out of three malwares hit them. Does not really help too much.
Combine that with ISP pricing models (helped by registry policy) that encourage <=1 IP address per household, and the subsequent boom in NAT boxes, and the fate is probably sealed.
Here I�ve observed opposite trend, most ISP�s are getting rid of NATting because it�s failure prone and expensive to implement and keep running. Pete
and operating system would be safer sitting behind a "firewall" pretty much marked the end of universal end-to-end connectivity, and I don't see it
An OS-level (software) firewall doesn't preclude end-to-end connectivity, and even a per-machine hardware firewall doesn't given it can pass inbound traffic through. Most servers on the Internet are also behind hardware firewalls, and they don't hinder end-to-end connectivity.
Last I checked most "firewall"s don´t make these machines safe, it might make them safer, so only two out of three malwares hit them.
A probably configured firewall will protect a machine against everything but it's user, and therein lies a problem you will likely never solve. Adam
On Tue, 28 Oct 2003 18:28:55 CST, Adam Selene <nospam@vguild.com> said:
A probably configured firewall will protect a machine against everything but it's user, and therein lies a problem you will likely never solve.
The real problem is that we have an environment where the malware can figure out how to disable the firewall but the user can't.
On Tue, 28 Oct 2003 18:28:55 CST, Adam Selene <nospam@vguild.com> said:
A probably configured firewall will protect a machine against everything but it's user, and therein lies a problem you will likely never solve.
The real problem is that we have an environment where the malware can figure out how to disable the firewall but the user can't.
Hopefully, one day software will be good enough the user won't have to be smart. And even clever malware will need some good luck to do its job. DJ
Date: Tue, 28 Oct 2003 21:51:01 -0500 From: Valdis.Kletnieks@...
The real problem is that we have an environment where the malware can figure out how to disable the firewall but the user can't.
And part of why the current Internet has so much peer-to-peer traffic on it. ;-) Eddy -- Brotsman & Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _________________________________________________________________ DO NOT send mail to the following addresses : blacklist@brics.com -or- alfra@intc.net -or- curbjmp@intc.net Sending mail to spambait addresses is a great way to get blocked.
participants (8)
-
Adam Selene
-
Deepak Jain
-
E.B. Dreger
-
Greg Maxwell
-
Henry Linneweh
-
Matthew Kaufman
-
Petri Helenius
-
Valdis.Kletnieks@vt.edu