[e2e] New approach to diffserv...

Sean Doran smd at ab.use.net
Mon Jun 17 09:31:28 PDT 2002


[Bob, you are welcome to banish this over to RRG's equivalent
 of end2end-interest <irtf-rr at puck.nether.net> if it drifts
 too far into the realm of routing]

| Or consider addressing.  We know from experience with the phone
| companies that if they can treat addresses like property they will,

| It should not have been a surprise when the 
| same thing started happening with IP addresses

Unfortunately there is a terminology overload with the word "address".

Do you mean physical location?   

Do you mean topological location?

Do you mean name-of-corresponding-host?

| ... consequences of that are pretty severe
| when taken in the context of a protocol where addresses care a lot
| of semantic weight.

Unfortunately different semantics are overloaded on IP addresses.

All three of the things above are encoded into a typical IP address.
The x-IANA (ICANN-ASO now, I guess) RIRs parcel out chunks of space
based on high-level allocations that are super-continential in nature.
The RIR parcelling is in some cases done on a sub-continental
or country-based basis.  Larger providers tend to do this too
for onward assignments of smaller chunks of the RIR-granted space.
Thus, an IP address can in some sense tell you something about 
the geography of the thing with that address.

An IP address is used to identify a part of the topology --
all routers collaborate in forwarding packets with a given address,
towards a particular point in the ever-changing topology of
the Internet.

An IP address also identifies an endpoint of a conversation;
it is the identifier of the host (usually) that your host is
talking with.

This semantic overload is not merely easy to forget, easier
to confuse, and tricky to explain -- it also runs head on into
the problem that THINGS MOVE, whether it's within the network,
or whether it's a host (or a set of hosts) being picked up and
physically transported somewhere.   I know of Swedish address
space being used right now in devices physically present in
China, for example, but topologically they are effectively
closer to California than to Korea.

If the three components were separated syntactically, so that
you no longer had multiple semantics applied to the same
short seet of numbers, we would be having FAR FAR FAR fewer
arguments about NAT vs the end2end model, because for the
most part NAT's primary ugliness is in coping with the
difference between location and name, and what happens
when the two cannot be identical, or even guaranteed unique
within a universal frame of reference.

| NAT that it's not fully appreciated what a serious problem NAT
| is for even modestly complex applications - there are *so* many
| ways that NAT can interfere with an application.

No, there is one and only one way that NAT can interere
with an application in a way that an ordinary router cannot:
adjusting the "address" to fit a topological location into
a different frame of reference than the sender is in.

The problem is that "addresses" used as "host identity"
are commonly embedded into applications which will break
spectacularly when the applications decide to use the
same "address" as a topological location.   The fact
that hosts by *have* to have their host identity equal
their [local] topological location is the fundamental
problem of the semantic overload.

Enter ALG, to mitigate that.  Ick!

There are several applications which embed "addresses"
used as actual topological locations and these can break spectacularly
crossing from one routing frame of reference to another (as in
RFC1918 on one side, public Internet on the other).

Yes, it's hard, but it's not NAT that makes it hard, it's
the semantic overload of the IPv4 (*and* the IPv6) IP address.

However, despite the complexity of ALGs and their tendency 
to fail, and the problems of protocols which need an ALG which
has not yet been implemented, and so on, NAT buys you several
important things, as you say:

| people put those things in their network
| to solve problems, 

Like (sub-)site renumbering and compressing multiple hosts
behind a single "address" (used in both location & name senses).

| and they aren't going to pull them out unless they're
| given some other technically credible, manageable, and affordable way
| to solve those same problems.

And IPv6 is not it, since it does not solve the first problem yet.

With the collapse this month of the network I left in January,
this is suddenly a very real problem for thousands of sites in Europe
to deal with.  It hasn't been an abstract issue since 1992, and it
is no longer as diffuse or amenable to scheduling as it was in the
days of the consolidation of smaller providers in the USA.

| Declaiming the glories of end-to-end
| transparency and telling the people who own the networks that they can 
| run more services better if they'd simply uninstall their firewall just 
| isn't going to do it. 

Correct; we need a solution that completely solves the
migration of (possibly large) sets of hosts from one 
network topology attachment point to another, and 
a unique and stable (or at least metastable) identity.

| We need more work like the Ioannidis paper on 
| distributed firewalls (without Keynote, but that's a different matter) 
| and Bob Moskowitz's HIP papers.  When all is said and done there's just 
| too much saying and not enough doing.

Agreed.  But armchair quarterbacking is easier, right?

	Sean.




More information about the end2end-interest mailing list