James, On 2009-03-21 10:01, james woodyatt wrote: ... > RFC 4864 also recommends that unmanaged residential networks have > gateways that enforce such policies by default in the absence of > explicit user intervention to turn it off. That's not the only > documentation of IETF consensus on the subject, but it's the one that > burns for me.
As a author of all of RFC2775, 3234 and 4864, I guess I have to react to this. Steve Bellovin made a brave attempt in his original distributed firewalls paper to push back the tide, but it failed. There is, as far as I can see, no realistic future without corporate and domestic firewalls. A few of them may be stateless, but not many. Whatever the IETF may think or feel, corporate IT has decided. RFC4864 simply recognised this reality. > > It's been years since I was pilloried [NB: not in IETF] for suggesting > that the recommendation of residential firewalls by default in RFC 4864 > should be reconsidered before the draft's final publication. Not very > many IETF participants came to my defense, much to my surprise and > dismay. (Itojun was among the few who honored me with support, and I > miss him sorely now.) > > I think the consensus is clear: IETF and IAB have capitulated on > end-to-end reachability, and the conflict is over now. The end-to-end > action is all about addressability today. Yes, it's certainly the case that intentional non-reachability is now a feature of the Internet, and not one designed by the IETF. But the most unpleasant contortions seem to me not to be around this point, but around the failure of address referrals caused by NAT (and in the future, by non-commutative connectivity in a mixed set of v4/v6 peers). > > Soon, after NAT66 is approved for the standards track by IESG, despite > the "strong recommendations" from the IAB in this draft, end-to-end > addressability in IPv6 will be the result of explicit coordination > between address realm operators rather than a reasonable expectation of > the public Internet in general. Just as it is today with IPv4. > End-to-end in IPv6 will be a fleeting memory of what could have been. If you mean that corporate intranets will want to be isolated from e2e routing, I'm sure that's inevitable. But that does not, thanks to IPv6 multi-prefix addressing, nullify global addressing in the way that RFC1918 did. I'm sure that as time goes on, a new generation of corporate IT managers will come to deploy IPv6 using the IPv6 model, instead of just blindly copying the IPv4 model. Give it time. > > I've seen the argument frequently advanced that the success of the > Internet no longer depends on the end-to-end principle. The continuing > success of the Internet despite the ubiquitous deployment of IPv4/NAT is > often cited as the proof of it. Maybe, but that's due to a misunderstanding of what the e2e principle actually is. The thread that includes http://www.ietf.org/mail-archive/web/int-area/current/msg01910.html applies. > I've yet to see anyone meet with > success trying to rebut that argument before audiences who cannot > imagine and/or do not care what future applications might be made > practical only if end-to-end addressability were to be considered a > feature of the Internet rather than an error. Yes, that is a subtle argument to make, but it clearly involves showing how solutions like Skype and BitTorrent bend over backwards to implement the e2e principle on a network that has lost e2e transparency. Which takes us, I think, way outside the scope of *this* list. CU in SF. Brian _______________________________________________ nat66 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nat66
