[e2e] New approach to diffserv...

Jon Crowcroft Jon.Crowcroft at cl.cam.ac.uk
Sun Jun 16 02:30:12 PDT 2002 

In message <Pine.GSO.4.40.0206151314240.24967-100000 at ra.ecse.rpi.edu>, Shivkuma
r Kalyanaraman typed:

 >>While I have no love lost for middle boxes, I dont understand how
 >>end-to-end approaches can provide equivalent services which may have value
 >>to enterprise customers who seem to be gobbling such boxes up...

that illustrate4s the biggest problem - 

I believe:
middleboxes, like many local optimiations, are lazy/easy solutions.

I assert:
end2end solutions for any given problem are harder to think of, but
much much more effective globally, and therefore "Good"
 
 >>What is the alternate approach, except resistance?
 
as the man says: e2e encryption busts most "stupid/evil" middle boxes
- there are some "stupid/stupid" middle boxes that e2e crypto helps
remove too (the "stupid/stupid v. stupid/evil" classification was made up by
lawrence lessig - i think o nthe spur of the moment at the terena
conference in limerick, ireleand a week or so ago in answer to a
question of classification of middleboxen)
 
I claim: 
We need Internet responsibility as well as rights -  one responsibility is also known as truth
in advertising and so forth - "middleboxes" are not  capabile of running "in the middle" - 
we recently got burned by firewalls on our 2.5Gbps links which were not capabile of running
at more than a couple of hundred Mbps so what use were they? our uni./ access liks are
going up to 10Gbps - in the pipleline of products for firewall/nat/etc devices are things
that may deliver a few thousand ACLs at a couple of Gbps - sorry, but these are EDGE
devices - BUt they are 
a) expensive
b) cannot be deployed in all the 100baseT and GigE sites behind our 10G trunk - however, we
COULD deploy personal firewalls on the end systems - they have PLENTYY of spare CPU and
most have the s/w capability - you know whath the single most common
reason given for why we cannot
just use pure end system protection mechaisms is:

microsoft (and to be honest some other older system)
legacy systems for which we cannot afford the upgrade.
you know what my answer is: a respnsible site security officer would believe one cannot
afford NOT to upgrade for several reasons
a) 85+% of breakins are internal anyhow
b) many end syetm security mechanisms also do application level security checks (e./g.
virus scans) which is a far safer thing to do on any system
c) the usual: if your firewall gives everyone a warm friendly feeling, then
they have just lost the paranoid edge required to actually maintain ANY internal system
which encourages local and e2e attacks since once past the tough skin, the soft interior is
easy prey....


as for wirelessi/fixed impedence mismatch, there are a few simple solutions which work e2e
 (e.g. transcoder middleboxes/proxies on the air/copper interface can be replaced by active
servers being smart about what they send by inspecting the client browser/os and other meta data )

i could go on - there are as many pure e2e solutions as one has time to imagine. they are
more interesting from a research perspective too....


lets take the "middle" out of middleboxes and
justify the end2end means.


 >>On Sat, 15 Jun 2002, David P. Reed wrote:
 >>
 >>> I suspect that the following quote/article illustrates why "middleboxes" need to be actively resisted.  It's clearly in the interest of box vendors to sell this stuff, despite its negative impact on the Internet.
 >>>
 >>> "It is clear that a classification processor programmed to perform content inspection is the key element in any next generation network processing architecture. A processor programmed to perform content inspection enables intelligent application management, facilitates the delivery of content-based services and drives content-based billing. This processor makes it possible to build networks that will be able to properly authorize, authenticate, and account for customized services by identifying individual packets and classifying them based on individual customer usage and QoS requirements."
 >>>
 >>> From: "Delivering Differentiated Services Through Deep Content Inspection"
 >>> http://www.commsdesign.com/printableArticle?doc_id=OEG20020604S0061
 >>>
 >>

 cheers

   jon

More information about the end2end-interest mailing list