ietf
[Top] [All Lists]

Re: There are no NAT boxes on the Internet and never have been.

2015-01-28 09:03:08
On Tue, Jan 27, 2015 at 3:24 PM, Måns Nilsson 
<mansaxel(_at_)besserwisser(_dot_)org>
wrote:

Subject: There are no NAT boxes on the Internet and never have been. Date:
Tue, Jan 27, 2015 at 12:40:19PM -0500 Quoting Phillip Hallam-Baker (
phill(_at_)hallambaker(_dot_)com):
Since my paper was rejected, I did not attend the middlebox workshop.

<snip>

It does not hold for an inter-network because the definition of an
Internetwork is that there is no central control point. Which in turn
means
that we can't implement certain security functions in the Internet
(though
there are some functions such as traffic analysis defense that can only
be
implemented there).

Your definition of The Inter-Network does not look to me as "no central
control point" but more in the direction of "The network where there
are no middleboxes" which is IMNSHO less satisfactory. Not to mention
an exercise in circulus in probando in the light of the present
discussion.


The Inter-network is the network of networks. Einar Stefferud used to give
a very good talk explaining the difference between an Inter-network and a
network.

Running IP end to end does not necessarily mean running Internet end to
end. The point is that the INTERNET Engineering Task Force is recognized as
the authoritative body for setting standards for the inter-network but the
decision maker at the network level is the owner of each network.

A random IETF participant with an opinion and a keyboard does not get to
tell me how to run my damn network. He is not even entitled to an opinion
on the matter.

I am certainly not arguing for reducing the scope of the IETF to the areas
where it is authoritative. But I think people from the routing layer need
to understand that what we do at the applications layer are better
understood as suggestions rather than making laws and our approach as being
persuasion rather than command.


I do, however, agree that for the IP-network overseer there exists a
right to manage traffic by regulating it but  that right should be as
delegated as possible and flexible if at all possible.


Why is delegation a good thing? Why is flexibility a good thing?

What I want as a network user is for my applications to work with as little
hassle as possible. And for that I find consistency and a single control
point much easier than having to work out which of the multiple veto points
is stopping something from happening.

Yesterday I had to remove and reinstall Apache on the linux box because it
would not start thinking it didn't have the right permissions. The
permissions in question being split between O/S permissions and application
level permissions and the software gives no information saying which is
blocking.

Windows is even worse for this. Trying to get apps to run under IIS
requires three separate sets of permissions to be set and they don't even
tell you about one of them. It is a hidden O/S feature that you have to
discover by poking about on programming forums.


The problem with middleboxes is that they distribute control across a
network and make the transport of packets non-deterministic. Middleboxes
will make arbitrary and often bran dead modifications to packets in an
attempt to achieve control.

There are two aspects of an access control infrastructure, the policy
decision point and the policy enforcement point. In the current middlebox
model every middlebox does both and that makes network management hard. In
a default-deny network, no packet transits without express authority. So
middleboxen need to perform policy enforcement. But the only way to make
such a configuration practical is to coordinate policy distribution.
<Prev in Thread] Current Thread [Next in Thread>