[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
On saving end-to-end transparency (was: Re: I-D.ietf-v6ops-cpe-simple-security-09)
- To: IPv6 v6ops <firstname.lastname@example.org>
- Subject: On saving end-to-end transparency (was: Re: I-D.ietf-v6ops-cpe-simple-security-09)
- From: Mark Townsley <email@example.com>
- Date: Mon, 22 Mar 2010 16:25:27 +0100
- User-agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:184.108.40.206) Gecko/20100227 Thunderbird/3.0.3
I wish I could be in two places at once. This email will have to suffice.
A final plea before the IETF meeting slots begin.
I think that most of us on this list would agree with, at the very
least, the ideal of end-to-end transparency with IP. Many of us are also
realists; Realists that lived through the era of the IETF saying no to
IPv4 NAT. Some of us may worry that we are part of a minority that will
be overwhelmed by market forces demanding an IPv6 firewall function,
even if we would rather not see them widely deployed.
Never fear, the market force behind an IPv6 firewall is no where near
that of the IPv4 NAT. The benefit simply isn't anywhere near as tangible
for the average user. The real sales pitch for IPv4 NAT was letting your
home have multiple internet-connected PCs for the price of one. This
benefit was pitted against end-to-end transparency, and the advantages
of the NAT won. It is still unclear to me whether the purported
advantages of an IPv6 firewall would outweigh the costs in terms of
complexity and transparency, even by the mass residential market. I say
this partly because of all of the comments saying that vendors, SDOs,
and SPs are looking to the IETF on what to do here. This is an
indication that the market has not yet spoken on this, otherwise no one
would really care what recommendation we made.
It has been a long road, but it is too early to lose our ideals entirely
here. Let's not publish a document that recommends, by default, breaking
end-to-end transparency. If the market proves us wrong, know that we are
not making the same fatal mistake as we did with IPv4 NAT as we are
still defining how to create an IPv6 firewall if one so chooses.
Given that the current largest residential IPv6 deployment has no
firewall in its CPE, and I have heard others say (on this list and
elsewhere) that they would much rather not have to develop, deploy, and
manage a firewalled connection, we have a real chance here to let the
IPv6 Internet grow up without this additional complexity. I could be
completely wrong, and the firewalls may certainly go ahead and ship on
by default anyway. If so, what will we have lost? Nothing really, as the
functionality of the firewall will still be there to be implemented
against in a relatively consistent manner. However, at least it will not
have been the IETF that shot its own principles down in the process.
Let's err on the side of our ideals here. Publish
draft-ietf-v6ops-cpe-simple-security, but do so without default-deny
rules on by default. Let's not break end-to-end IPv6 before it even has
a chance to grow up.
Thanks for reading this far, and have a good IETF meeting this week. See
you on Jabber when I can.