Re: There are no NAT boxes on the Internet and never have been.
Seth Johnson <seth.p.johnson@gmail.com> Wed, 28 January 2015 18:59 UTC
Return-Path: <seth.p.johnson@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BB7F1A1AB1 for <ietf@ietfa.amsl.com>; Wed, 28 Jan 2015 10:59:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SWgwnt7skfE6 for <ietf@ietfa.amsl.com>; Wed, 28 Jan 2015 10:59:37 -0800 (PST)
Received: from mail-lb0-x22d.google.com (mail-lb0-x22d.google.com [IPv6:2a00:1450:4010:c04::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00C7E1A1A2C for <ietf@ietf.org>; Wed, 28 Jan 2015 10:59:36 -0800 (PST)
Received: by mail-lb0-f173.google.com with SMTP id p9so20464271lbv.4 for <ietf@ietf.org>; Wed, 28 Jan 2015 10:59:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=jsNKdOI/cyMfr8X3l0ulD3gzaquN5ExX1EerACfxGHE=; b=Ai5wuSSR7t4li7qxSDx/DV7RhV92BilBFJQHGUKI/K066Oh0D7x0W35f00troy/gYb gxI70R/HX3V+AM8DLOfoqvDJ5wbZcA99/ipWXjXBKfDicNG/zksqp+6+FkM5LtxMJDKS 5I8tayQUB7zbX5lzTtrYOIzby4Un5q2Jk4aZGpyfwFXLU1fjcJ3YX3/r8M8FHb5rb6W8 eCailAnevp+an+QcDq4KfjljyzWm4X43M41uTxmSLX+cU6HOu4YzOpnPqgZaCkH2L9RZ 5OL98eEcmiydfdZPG4UprhpSnDo6MWKPHkIq4LA9YsW9t8Hb625G5WnkV7Y8n/fM4PrO 72jA==
X-Received: by 10.112.172.167 with SMTP id bd7mr10397780lbc.14.1422471575453; Wed, 28 Jan 2015 10:59:35 -0800 (PST)
MIME-Version: 1.0
Received: by 10.25.140.196 with HTTP; Wed, 28 Jan 2015 10:58:55 -0800 (PST)
In-Reply-To: <CAMm+LwhBc64U3==HwJH526wBpP_iPk=63SZCtu5omN3vkkC_Lw@mail.gmail.com>
References: <CAMm+LwgUAZtLShdX+S7ZtfhFZrF5QxBCkwVvBZtL=UCN-Xt1WQ@mail.gmail.com> <20150127202437.GA6264@besserwisser.org> <CAMm+LwhBc64U3==HwJH526wBpP_iPk=63SZCtu5omN3vkkC_Lw@mail.gmail.com>
From: Seth Johnson <seth.p.johnson@gmail.com>
Date: Wed, 28 Jan 2015 13:58:55 -0500
Message-ID: <CAJkfFBx89ibKkKkJQhHe72CP4tuyAjO89J3FjiYo8h1-3+VvxA@mail.gmail.com>
Subject: Re: There are no NAT boxes on the Internet and never have been.
To: Phillip Hallam-Baker <phill@hallambaker.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/9nQii_c3oveEy2txKIwUjCXwjNw>
Cc: Måns Nilsson <mansaxel@besserwisser.org>, IETF Discussion Mailing List <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Jan 2015 18:59:39 -0000
Yes. One of the key problems with the Information Society project is that it encourages confusion of the term "Internet" with IP-based networks in general. Seth On Wed, Jan 28, 2015 at 10:02 AM, Phillip Hallam-Baker <phill@hallambaker.com> wrote: > > > On Tue, Jan 27, 2015 at 3:24 PM, Måns Nilsson <mansaxel@besserwisser.org> > wrote: >> >> Subject: There are no NAT boxes on the Internet and never have been. Date: >> Tue, Jan 27, 2015 at 12:40:19PM -0500 Quoting Phillip Hallam-Baker >> (phill@hallambaker.com): >> > Since my paper was rejected, I did not attend the middlebox workshop. >> >> <snip> >> >> > It does not hold for an inter-network because the definition of an >> > Internetwork is that there is no central control point. Which in turn >> > means >> > that we can't implement certain security functions in the Internet >> > (though >> > there are some functions such as traffic analysis defense that can only >> > be >> > implemented there). >> >> Your definition of The Inter-Network does not look to me as "no central >> control point" but more in the direction of "The network where there >> are no middleboxes" which is IMNSHO less satisfactory. Not to mention >> an exercise in circulus in probando in the light of the present >> discussion. > > > The Inter-network is the network of networks. Einar Stefferud used to give a > very good talk explaining the difference between an Inter-network and a > network. > > Running IP end to end does not necessarily mean running Internet end to end. > The point is that the INTERNET Engineering Task Force is recognized as the > authoritative body for setting standards for the inter-network but the > decision maker at the network level is the owner of each network. > > A random IETF participant with an opinion and a keyboard does not get to > tell me how to run my damn network. He is not even entitled to an opinion on > the matter. > > I am certainly not arguing for reducing the scope of the IETF to the areas > where it is authoritative. But I think people from the routing layer need to > understand that what we do at the applications layer are better understood > as suggestions rather than making laws and our approach as being persuasion > rather than command. > > >> I do, however, agree that for the IP-network overseer there exists a >> right to manage traffic by regulating it but that right should be as >> delegated as possible and flexible if at all possible. > > > Why is delegation a good thing? Why is flexibility a good thing? > > What I want as a network user is for my applications to work with as little > hassle as possible. And for that I find consistency and a single control > point much easier than having to work out which of the multiple veto points > is stopping something from happening. > > Yesterday I had to remove and reinstall Apache on the linux box because it > would not start thinking it didn't have the right permissions. The > permissions in question being split between O/S permissions and application > level permissions and the software gives no information saying which is > blocking. > > Windows is even worse for this. Trying to get apps to run under IIS requires > three separate sets of permissions to be set and they don't even tell you > about one of them. It is a hidden O/S feature that you have to discover by > poking about on programming forums. > > > The problem with middleboxes is that they distribute control across a > network and make the transport of packets non-deterministic. Middleboxes > will make arbitrary and often bran dead modifications to packets in an > attempt to achieve control. > > There are two aspects of an access control infrastructure, the policy > decision point and the policy enforcement point. In the current middlebox > model every middlebox does both and that makes network management hard. In a > default-deny network, no packet transits without express authority. So > middleboxen need to perform policy enforcement. But the only way to make > such a configuration practical is to coordinate policy distribution.
- There are no NAT boxes on the Internet and never … Phillip Hallam-Baker
- Re: There are no NAT boxes on the Internet and ne… Måns Nilsson
- Re: There are no NAT boxes on the Internet and ne… Phillip Hallam-Baker
- Re: There are no NAT boxes on the Internet and ne… Seth Johnson