Yes. One of the key problems with the Information Society project is that it encourages confusion of the term "Internet" with IP-based networks in general. Seth On Wed, Jan 28, 2015 at 10:02 AM, Phillip Hallam-Baker <phill@xxxxxxxxxxxxxxx> wrote: > > > On Tue, Jan 27, 2015 at 3:24 PM, Måns Nilsson <mansaxel@xxxxxxxxxxxxxxxx> > wrote: >> >> Subject: There are no NAT boxes on the Internet and never have been. Date: >> Tue, Jan 27, 2015 at 12:40:19PM -0500 Quoting Phillip Hallam-Baker >> (phill@xxxxxxxxxxxxxxx): >> > Since my paper was rejected, I did not attend the middlebox workshop. >> >> <snip> >> >> > It does not hold for an inter-network because the definition of an >> > Internetwork is that there is no central control point. Which in turn >> > means >> > that we can't implement certain security functions in the Internet >> > (though >> > there are some functions such as traffic analysis defense that can only >> > be >> > implemented there). >> >> Your definition of The Inter-Network does not look to me as "no central >> control point" but more in the direction of "The network where there >> are no middleboxes" which is IMNSHO less satisfactory. Not to mention >> an exercise in circulus in probando in the light of the present >> discussion. > > > The Inter-network is the network of networks. Einar Stefferud used to give a > very good talk explaining the difference between an Inter-network and a > network. > > Running IP end to end does not necessarily mean running Internet end to end. > The point is that the INTERNET Engineering Task Force is recognized as the > authoritative body for setting standards for the inter-network but the > decision maker at the network level is the owner of each network. > > A random IETF participant with an opinion and a keyboard does not get to > tell me how to run my damn network. He is not even entitled to an opinion on > the matter. > > I am certainly not arguing for reducing the scope of the IETF to the areas > where it is authoritative. But I think people from the routing layer need to > understand that what we do at the applications layer are better understood > as suggestions rather than making laws and our approach as being persuasion > rather than command. > > >> I do, however, agree that for the IP-network overseer there exists a >> right to manage traffic by regulating it but that right should be as >> delegated as possible and flexible if at all possible. > > > Why is delegation a good thing? Why is flexibility a good thing? > > What I want as a network user is for my applications to work with as little > hassle as possible. And for that I find consistency and a single control > point much easier than having to work out which of the multiple veto points > is stopping something from happening. > > Yesterday I had to remove and reinstall Apache on the linux box because it > would not start thinking it didn't have the right permissions. The > permissions in question being split between O/S permissions and application > level permissions and the software gives no information saying which is > blocking. > > Windows is even worse for this. Trying to get apps to run under IIS requires > three separate sets of permissions to be set and they don't even tell you > about one of them. It is a hidden O/S feature that you have to discover by > poking about on programming forums. > > > The problem with middleboxes is that they distribute control across a > network and make the transport of packets non-deterministic. Middleboxes > will make arbitrary and often bran dead modifications to packets in an > attempt to achieve control. > > There are two aspects of an access control infrastructure, the policy > decision point and the policy enforcement point. In the current middlebox > model every middlebox does both and that makes network management hard. In a > default-deny network, no packet transits without express authority. So > middleboxen need to perform policy enforcement. But the only way to make > such a configuration practical is to coordinate policy distribution.