[e2e] IPV6 FIREWALLS
David P. Reed
dpreed at reed.com
Wed Jul 2 14:17:20 PDT 2003
At 10:19 AM 7/2/2003 -0400, J. Noel Chiappa wrote:
>The Internet architecture we foisted on the world had a really embreyonic
>security architecture - well, actually, I'm being charitable, it didn't
>really even have that much. We didn't really have a clue what people were
>really going to need to do, much less provide any mechanisms that would allow
>them to do that.
For people who weren't around at the time, it's IMPORTANT (at least to me)
to note that some of us wanted to include a much more thorough, end-to-end
security architecture in which all data would be encrypted end-to-end, with
a full authentication infrastructure in place that would allow end systems
to know who was talking to whom.
This technology was all very well understood at the time.
We had NOTHING to do with its "non-deployment." We were ORDERED not to do
such research and innovation in the Internet project, or at least under
anything funded by ARPA.
The US has continued to pass laws that restrict end-to-end security since
then, such as CALEA.
No wonder we have firewalls whose security benefits are questionable at
best, but which prevent many useful communications very effectively.
The actual systemic corporate security achieved by firewalls is little
better than depending on WEP alone.
>So it's no suprise that, not having given them any screwdrivers, they looked
>around and picked up whatever hammers they could find, and started applying
Exactly so. A network shattered by a hammer is quite secure, because it
carries no bits.
More information about the end2end-interest