On saving end-to-end transparency (was: Re: I-D.ietf-v6ops-cpe-simple-security-09)

[Mark Townsley <townsley@cisco.com>]

All,

I wish I could be in two places at once. This email will have to suffice.

A final plea before the IETF meeting slots begin.

I think that most of us on this list would agree with, at the very 
least, the ideal of end-to-end transparency with IP. Many of us are also 
realists; Realists that lived through the era of the IETF saying no to 
IPv4 NAT. Some of us may worry that we are part of a minority that will 
be overwhelmed by market forces demanding an IPv6 firewall function, 
even if we would rather not see them widely deployed.

Never fear, the market force behind an IPv6 firewall is no where near 
that of the IPv4 NAT. The benefit simply isn't anywhere near as tangible 
for the average user. The real sales pitch for IPv4 NAT was letting your 
home have multiple internet-connected PCs for the price of one. This 
benefit was pitted against end-to-end transparency, and the advantages 
of the NAT won. It is still unclear to me whether the purported 
advantages of an IPv6 firewall would outweigh the costs in terms of 
complexity and transparency, even by the mass residential market. I say 
this partly because of all of the comments saying that vendors, SDOs, 
and SPs are looking to the IETF on what to do here. This is an 
indication that the market has not yet spoken on this, otherwise no one 
would really care what recommendation we made.

It has been a long road, but it is too early to lose our ideals entirely 
here. Let's not publish a document that recommends, by default, breaking 
end-to-end transparency. If the market proves us wrong, know that we are 
not making the same fatal mistake as we did with IPv4 NAT as we are 
still defining how to create an IPv6 firewall if one so chooses.

Given that the current largest residential IPv6 deployment has no 
firewall in its CPE, and I have heard others say (on this list and 
elsewhere) that they would much rather not have to develop, deploy, and 
manage a firewalled connection, we have a real chance here to let the 
IPv6 Internet grow up without this additional complexity. I could be 
completely wrong, and the firewalls may certainly go ahead and ship on 
by default anyway. If so, what will we have lost? Nothing really, as the 
functionality of the firewall will still be there to be implemented 
against in a relatively consistent manner. However, at least it will not 
have been the IETF that shot its own principles down in the process.

Let's err on the side of our ideals here. Publish 
draft-ietf-v6ops-cpe-simple-security, but do so without default-deny 
rules on by default. Let's not break end-to-end IPv6 before it even has 
a chance to grow up.

Thanks for reading this far, and have a good IETF meeting this week. See 
you on Jabber when I can.

- Mark