[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


> The end-to-end model is about "If my packet is permitted by policy and
delivered to the
> remote host, I expect it to arrive as sent, without unexpected

Well, it's about communications integrity being the responsibility of the
endpoint.  It
is therefore expected that the network not mess with the communication.
See http://web.mit.edu/Saltzer/www/publications/endtoend/endtoend.pdf

> Nobody wants to get rid of firewalls. 

Several people want to get rid of firewalls.  Consistent with the end-to-end
principle, hosts should provide their own policy enforcement.  See expired 

Unfortunately, the approach described doesn't work in state-of-the-art
CPE, and relies heavily on endpoint security protection, which is weak in
Internet hosts.   

> We want to get rid of NAT. Firewalls work great
> without NAT and by having
> firewalls without NAT, we gain back the end-to-end model while preserving
the ability to
> enforce policy on end-to-end connectivity.

I would rather see hosts protect themselves from badness, and network
appliances be limited to protecting against network threats (a DDOS is a
threat; a service DOS is an application threat).

> > NAT doesn't destroy end-to-end.  It just makes it slightly more
difficult. But no more
> > difficult that turning on a firewall does.
> > It doesn't break anything that isn't trying to "announce" itself - and
imo, applications that
> > want to "announce" themselves seem like a pretty big security hole.

Service discovery is an Internet weakness.

> NAT does destroy end-to-end. Firewalls do not.

Firewalls merely constrict it.  Not that I advocate against the use of
in fact, I think I'm agreeing with you, and extending the argument a little
that we should move from NAT to firewalls, then from stateful firewalls to
secure hosts and network security appliances.