Brian is playing unfair here by introducing an actual application layer
consequence into the architecture discussion :-)
The referral problem he refers to is real, but I see it more as a
consequence of the IETF being too rigid in its approach to address
numbering.
The basic question here is that we have two hosts that are to connect for a
peer-peer protocol in which either endpoint can initiate or respond to a
connection request.
Clearly this is rather challenging if the boundaries between addressing
schemes are arbitrary and becomes somewhat simpler in a uniform addressing
model.
But the real Internet is not like that. It is a network of networks and
crossing the boundary between a private network and the interconnect space
between the networks has consequences.
One of those consequences is that addresses can change at the
private/interconnect border. Another consequence is that crossing that
boundary should have security consequences.
Opening up a port to receive connection requests has considerably greater
security consequence than making the request. The requester is opening a
communication channel with a single, specified entity, the responder is
opening access to any host on the Internet.
"It is much better to give than to receive"
So opening a port is an event that should be mediated by access control at
the host level and private/interconnect border at a minimum. In a default
deny network there will be additional policy enforcement within the private
network.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf