[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: On saving end-to-end transparency (was: Re: I-D.ietf-v6ops-cpe-simple-security-09)
- To: Mark Townsley <townsley@cisco.com>
- Subject: Re: On saving end-to-end transparency (was: Re: I-D.ietf-v6ops-cpe-simple-security-09)
- From: Cameron Byrne <cb.list6@gmail.com>
- Date: Mon, 22 Mar 2010 09:25:06 -0700
- Cc: IPv6 v6ops <v6ops@ops.ietf.org>
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=Dk8EeFAz/KV0RR7dEvijY/pxmF0OinfNfs2IHqVWO3F3GL5hqoAco4JBXjDaDLO7dM 4h/tMXE4g03BW7kCWo3AK4hJAh5ntDIpG19672H9ZibMAZAvzPipEEE/VcVYOE+o8iEw i+KdiAgGOT+hA3XzO+2jYaGvf2WfvjNIA5wqY=
- In-reply-to: <4BA78BE7.6010005@cisco.com>
- References: <4BA78BE7.6010005@cisco.com>
On Mon, Mar 22, 2010 at 8:25 AM, Mark Townsley <townsley@cisco.com> wrote:
>
> All,
>
> I wish I could be in two places at once. This email will have to suffice.
>
> A final plea before the IETF meeting slots begin.
>
> I think that most of us on this list would agree with, at the very least,
> the ideal of end-to-end transparency with IP. Many of us are also realists;
> Realists that lived through the era of the IETF saying no to IPv4 NAT. Some
> of us may worry that we are part of a minority that will be overwhelmed by
> market forces demanding an IPv6 firewall function, even if we would rather
> not see them widely deployed.
>
> Never fear, the market force behind an IPv6 firewall is no where near that
> of the IPv4 NAT. The benefit simply isn't anywhere near as tangible for the
> average user. The real sales pitch for IPv4 NAT was letting your home have
> multiple internet-connected PCs for the price of one. This benefit was
> pitted against end-to-end transparency, and the advantages of the NAT won.
> It is still unclear to me whether the purported advantages of an IPv6
> firewall would outweigh the costs in terms of complexity and transparency,
> even by the mass residential market. I say this partly because of all of the
> comments saying that vendors, SDOs, and SPs are looking to the IETF on what
> to do here. This is an indication that the market has not yet spoken on
> this, otherwise no one would really care what recommendation we made.
>
> It has been a long road, but it is too early to lose our ideals entirely
> here. Let's not publish a document that recommends, by default, breaking
> end-to-end transparency. If the market proves us wrong, know that we are not
> making the same fatal mistake as we did with IPv4 NAT as we are still
> defining how to create an IPv6 firewall if one so chooses.
>
> Given that the current largest residential IPv6 deployment has no firewall
> in its CPE, and I have heard others say (on this list and elsewhere) that
> they would much rather not have to develop, deploy, and manage a firewalled
> connection, we have a real chance here to let the IPv6 Internet grow up
> without this additional complexity. I could be completely wrong, and the
> firewalls may certainly go ahead and ship on by default anyway. If so, what
> will we have lost? Nothing really, as the functionality of the firewall will
> still be there to be implemented against in a relatively consistent manner.
> However, at least it will not have been the IETF that shot its own
> principles down in the process.
>
> Let's err on the side of our ideals here. Publish
> draft-ietf-v6ops-cpe-simple-security, but do so without default-deny rules
> on by default. Let's not break end-to-end IPv6 before it even has a chance
> to grow up.
+1. Hosts OSs have matured a lot in the last 10 years, we don't need
appliances to protect / handicap them. E2E says put the intelligence
in the host, not the network / CPE.
Cameron
>
> Thanks for reading this far, and have a good IETF meeting this week. See you
> on Jabber when I can.
>
> - Mark
>
>
>
>
>
>
>
>
>
>
>
>