nanog mailing list archives
Re: quietly....
From: isabel dias <isabeldias1 () yahoo com>
Date: Sun, 6 Feb 2011 06:45:45 -0800 (PST)
sure ................ ________________________________ From: Lee Howard <lee () asgard org> To: Owen DeLong <owen () delong com>; david raistrick <drais () icantclick org> Cc: nanog () nanog org Sent: Sun, February 6, 2011 2:16:35 PM Subject: RE: quietly....
The end-to-end model is about "If my packet is permitted by policy and
delivered to the
remote host, I expect it to arrive as sent, without unexpected
modifications." Well, it's about communications integrity being the responsibility of the endpoint. It is therefore expected that the network not mess with the communication. See http://web.mit.edu/Saltzer/www/publications/endtoend/endtoend.pdf
Nobody wants to get rid of firewalls.
Several people want to get rid of firewalls. Consistent with the end-to-end principle, hosts should provide their own policy enforcement. See expired draft-vyncke-advanced-ipv6-security-01 Unfortunately, the approach described doesn't work in state-of-the-art residential CPE, and relies heavily on endpoint security protection, which is weak in most Internet hosts.
We want to get rid of NAT. Firewalls work great without NAT and by having firewalls without NAT, we gain back the end-to-end model while preserving
the ability to
enforce policy on end-to-end connectivity.
I would rather see hosts protect themselves from badness, and network security appliances be limited to protecting against network threats (a DDOS is a network threat; a service DOS is an application threat).
NAT doesn't destroy end-to-end. It just makes it slightly more
difficult. But no more
difficult that turning on a firewall does. It doesn't break anything that isn't trying to "announce" itself - and
imo, applications that
want to "announce" themselves seem like a pretty big security hole.
Service discovery is an Internet weakness.
NAT does destroy end-to-end. Firewalls do not.
Firewalls merely constrict it. Not that I advocate against the use of firewalls; in fact, I think I'm agreeing with you, and extending the argument a little further, that we should move from NAT to firewalls, then from stateful firewalls to secure hosts and network security appliances. Lee
Current thread:
- Re: quietly...., (continued)
- Re: quietly.... Owen DeLong (Feb 04)
- Re: quietly.... Jack Bates (Feb 04)
- Re: quietly.... Owen DeLong (Feb 04)
- Re: quietly.... Jack Bates (Feb 04)
- RE: quietly.... George Bonser (Feb 04)
- Re: quietly.... Jack Bates (Feb 04)
- Re: quietly.... Owen DeLong (Feb 04)
- Re: quietly.... Owen DeLong (Feb 04)
- Re: quietly.... Jack Bates (Feb 05)
- RE: quietly.... Lee Howard (Feb 06)
- Re: quietly.... isabel dias (Feb 06)
- Re: quietly.... Owen DeLong (Feb 06)
- Re: quietly.... Valdis . Kletnieks (Feb 04)
- Re: quietly.... Blake Dunlap (Feb 04)
- Re: quietly.... Jay Ashworth (Feb 04)
- Re: quietly.... Jack Bates (Feb 03)
- Re: quietly.... david raistrick (Feb 03)
- Failure modes: NAT vs SPI Jay Ashworth (Feb 03)
- Re: Failure modes: NAT vs SPI Iljitsch van Beijnum (Feb 03)
- Message not available
- Re: Failure modes: NAT vs SPI Iljitsch van Beijnum (Feb 07)
- Re: Failure modes: NAT vs SPI Owen DeLong (Feb 07)