[e2e] using p2p overlays to overcome recursive NATs/realms

David P. Reed dpreed at reed.com
Sat Feb 9 11:17:16 PST 2002 

At 09:37 AM 2/9/2002 -0500, Melinda Shore wrote:
>At 09:33 PM 2/8/02 -0500, David P. Reed wrote:
> >Oh, I do indeed understand.  However, I think it is pretty clear that 
> ISPs have no interest in deploying v6.  A fair number of them would love 
> to stay in v4 because the lack of addresses creates a steep entry barrier 
> for competitors.
>
>But it's just not ISPs and it's not just competitive concerns.
>One thing that's very much at issue is the ability of operators
>*and* enterprises to be able to distinguish between what's theirs
>and what's not theirs in order to be able to apply policy.

This is an interesting point.  However, you are making two assumptions 
implicitly here that need to be examined, rather than just asserted.

  First, there is indeed a question of "what's theirs".  But "theirs" only 
opens the policy question of "property rights" which is neither obviously 
relevant to communications systems, nor well defined in that context.  This 
is an issue that is hardly settled.  I won't press my particular views 
here, but by presuming it is settled, you merely transfer the problem from 
one domain to another that is hardly prepared to deal with the issue.

Second, there is a huge architectural question hiding here - i.e. the 
end-to-end argument.  Where should a particular policy be 
implemented?  It's not obvious that the Internet can be successful in its 
architecture if every box is to be an instrument of policy.  One can try to 
make a router block pornography, for example.  But it's hardly the best 
architectural solution, no matter who "owns" the router - basically, it 
doesn't work.  A more clear example is the widely believed idea that a NAT 
box can act as a security device (a firewall).  It's quite evident that all 
a NAT box can do in regard to security is push attackers from one mode of 
attack to another, and that the firewalls introduce barriers to better 
solutions (for example, end-to-end encryption is quite hard to do when the 
packets are being modified in unpredictable ways in the middle).

>   Right
>now the tools for doing that are extremely crude, where they exist
>at all.  In many cases NATs are being used to effect policy domain
>separation, and unfortunately that kind of use seems to be on
>the rise.  An overlay network that's insensitive to that issue isn't
>going to be helpful to them, but an overlay network that is sensitive
>to that issue is going to reintroduce the sorts of problems that
>we're seeing now with firewalls and NATs.

Fans of NATs seem to think they achieve policy domain separation.  I would 
argue they don't succeed in doing so, but instead create policy 
entanglements that are all cost and minimal benefit.  E.g. I have a NAT box 
here with 11 computers behind it.  There are quite a few things that the 
users of those computers cannot participate in on the Internet.  But 
there's darn little benefit in security or policy independence 
today.  Maybe the dream-NATs of the future will correct these problems by 
adding epicycles of complexity, and there will finally be some benefits 
beyond the limited address space extension that 99.99% of the customers buy 
them for.


>I'm not at all convinced that it's fruitful to frame the question
>as being how to repair the damage done by NATs, but rather whether
>or not there's an IP-appropriate way to deal with the issue of how
>to apply policy (particularly access policy) at the boundaries between
>networks.

In light of the above comments, the end-to-end argument would place the 
burden squarely upon you.  You must first prove that the "boundaries 
between networks" are the best or correct places to apply policies.  The 
Internet was designed on a different set of principles about where policies 
would be applied.  And the Internet has been quite successful in evolving 
and adapting to solve new questions.  Nearly all such policies can be 
implemented without getting in between networks, and when getting in 
between networks is necessary, the Internet philosophy of minimizing the 
amount of mechanism introduced, and preserving maximum flexibility for 
unknown future needs, has always turned out to be a good decision.


>Melinda

More information about the end2end-interest mailing list