[e2e] Fw: IAB Draft on the End to End Principle

[Craig Partridge]

I wish I had time to read in more detail but I had a few comments.

First, I think 3.1 is wrong.  I don't believe the end-to-end argument
implies that end nodes implicitly trust each other -- I believe it says
that the obligation about whether to trust is ultimately up to the
end applications.  And, indeed, I'd say that's arguably right. PGP is
built on precisely that assumption.  And various certificate-based
systems have that assumption embedded too (in the sense that endpoints
determine which certificate authorities they are willing to believe).

I'm not denying there's an issue hiding here, but I think it is a subtler
one -- namely that infrastructure ossifies (e.g., the "we can't change TCP
problem") it remains vulnerable to people developing new attacks (c.f.
the neat new TCP attack to be presented at SIGCOMM in August) and yet
interoperability requirements make it hard to respond to those attacks.

I can't map that problem into a statement about the E2E model (as the
same ossification happens at NAT boxes as it does at the end systems.
The difference is simply that one intermediate box may shield N end systems --
but at a cost of a new ossification point).

Craig