On Tue, Jan 27, 2015 at 3:24 PM, Måns Nilsson <mansaxel@xxxxxxxxxxxxxxxx> wrote:
Subject: There are no NAT boxes on the Internet and never have been. Date: Tue, Jan 27, 2015 at 12:40:19PM -0500 Quoting Phillip Hallam-Baker (phill@xxxxxxxxxxxxxxx):
> Since my paper was rejected, I did not attend the middlebox workshop.
<snip>
> It does not hold for an inter-network because the definition of an
> Internetwork is that there is no central control point. Which in turn means
> that we can't implement certain security functions in the Internet (though
> there are some functions such as traffic analysis defense that can only be
> implemented there).
Your definition of The Inter-Network does not look to me as "no central
control point" but more in the direction of "The network where there
are no middleboxes" which is IMNSHO less satisfactory. Not to mention
an exercise in circulus in probando in the light of the present
discussion.
The Inter-network is the network of networks. Einar Stefferud used to give a very good talk explaining the difference between an Inter-network and a network.
Running IP end to end does not necessarily mean running Internet end to end. The point is that the INTERNET Engineering Task Force is recognized as the authoritative body for setting standards for the inter-network but the decision maker at the network level is the owner of each network.
A random IETF participant with an opinion and a keyboard does not get to tell me how to run my damn network. He is not even entitled to an opinion on the matter.
I am certainly not arguing for reducing the scope of the IETF to the areas where it is authoritative. But I think people from the routing layer need to understand that what we do at the applications layer are better understood as suggestions rather than making laws and our approach as being persuasion rather than command.
I do, however, agree that for the IP-network overseer there exists a
right to manage traffic by regulating it but that right should be as
delegated as possible and flexible if at all possible.
Why is delegation a good thing? Why is flexibility a good thing?
What I want as a network user is for my applications to work with as little hassle as possible. And for that I find consistency and a single control point much easier than having to work out which of the multiple veto points is stopping something from happening.
Yesterday I had to remove and reinstall Apache on the linux box because it would not start thinking it didn't have the right permissions. The permissions in question being split between O/S permissions and application level permissions and the software gives no information saying which is blocking.
Windows is even worse for this. Trying to get apps to run under IIS requires three separate sets of permissions to be set and they don't even tell you about one of them. It is a hidden O/S feature that you have to discover by poking about on programming forums.
The problem with middleboxes is that they distribute control across a network and make the transport of packets non-deterministic. Middleboxes will make arbitrary and often bran dead modifications to packets in an attempt to achieve control.
There are two aspects of an access control infrastructure, the policy decision point and the policy enforcement point. In the current middlebox model every middlebox does both and that makes network management hard. In a default-deny network, no packet transits without express authority. So middleboxen need to perform policy enforcement. But the only way to make such a configuration practical is to coordinate policy distribution.