Re: [Int-area] [EXTERNAL] Re: New Version Notification for draft-herbert-ipv4-eh-03.txt

[Tom Herbert <tom@herbertland.com>]

On Fri, Mar 22, 2024 at 9:12 AM Robinson, Herbie
<Herbie.Robinson=40stratus.com@dmarc.ietf.org> wrote:
>
> > Whether something is "legitimate" is a matter of opinion, protocol
> > conformance typically is not.
>
> In the real world, protocol conformance involves how people interpret the specs (which have historically been quite loose) and what developers of things like firewalls have to do to keep real world threats from  making the Internet totally useless.  What seems to be happening is things that are necessary get done while adhering to the developers best efforts to adhere to the specs and real world utilization.  Eventually, what really happens is things which are necessary enough to be widely used (like firewalls) dictate what the specs didn't say when the firewalls were designed.
>
> > For applications and hosts firewalls are not all necessary to do their job and
> > have created way more problems for developers than they solve.
>
> Umm, are you really trying to claim that firewalls are not necessary?

Herbie,

Yes, I'm saying that. I know this is true because whenever I connect
to WIFI at the local coffee shop or the airport I get no indication
that the network is even running a firewall, much less any guarantee
that their running a firewall that's well maintained, that the devices
are up to date with latest vendor patches, or that they have a
reasonable and sufficient security policy. I rely solely on my
application and host OS which I can control for security, malware
detection, virus scanning, etc. So some anonymous firewall that thinks
they can protect me better is more likely to cause problems or reduce
my security (like if they don't forward my IPsec or QUIC packets
because the firewall thinks that hiding data from them is insecure).
If there was some real standard for firewalls that had broad
conformance, ubiquitous deployment, and consistent policies then I
might think differently-- but until that happens I believe firewalls
are more part of the problem than the solution.

Tom

>  If it wasn't for firewalls, the Internet would be pretty much useless.  I wish that were not so, but...
>
> > In fact, in the 6man meeting the other day someone pointed out that the
> > effect of NAT has been to move the problems and complexity out of the
> > network into the host and application-- as a host developer I  can say that this
> > statement is spot on.
>
> NAT is a red herring -- it's not the only reason firewalls need to look at ports to do their job.  Then again, NAT It is a really good argument for not enhancing IPv4 (so that NAT will go away).
>
> BTW, I am a host developer and protocol stack maintainer.  I see this as a huge amount of work to implement something no-one will be able to use for 2-3 decades.  Especially when it's all available via IPv6, now.
>
> > Right, and this is exactly what drives use to limit packets on the Internet to
> > perpetually use the least common denominator of support in the network.
> > The result is an ossified Internet that we can no longer
> > evolve-- IMO that's not a good thing!
>
> And how does defining something no-one will be able to use for two or three decades solve that problem -- better than IPv6 which already has a 2 decade head start?