Re: [v6ops] Hmm. Interesting article...

[Fernando Gont <fgont@si6networks.com>]

On 02/02/2016 06:13 PM, Enno Rey wrote:
> Hi,
> 
>> On 02/02/2016 09:44 AM, Owen DeLong wrote:
>>>>> If you're running a host without any sort of filter, that's 
>>>>> really not a problem we should be solving at the network
>>>>> level. That's more of an educational problem.
>>>> 
>>>> that's a very interesting statement, taking the end-to-end 
>>>> principle into account, which IPv6 strives to realize/bring
>>>> back.
>>> 
>>> Why? There???s nothing about filters that interferes with the 
>>> end-to-end principle.
>>> 
>>> A Stateful inspection firewall that doesn???t mangle the packet
>>> header is perfectly acceptable in an end-to-end world. Whether
>>> it???s a network-level firewall, a host-level firewall, both,
>>> etc.
> 
> a network-level "stateful inspection" firewall keeps track of, well,
> state. doing so "in the network" is a - from my understanding -
> fundamental violation of the e2e principle, not least as it impedes
> "survivability in the face of failure".

FWIW, this is what we say in
<https://tools.ietf.org/html/draft-gont-opsawg-firewalls-analysis-01>
about this:

---- cut here ----
3.2.  The End-to-End Principle

   One common complaint about firewalls in general is that they violate
   the End-to-End Principle [Saltzer].  The End-to-End Principle is
   often incorrectly stated as requiring that "application specific
   functions ought to reside in the end nodes of a network rather than
   in intermediary nodes, provided they can be implemented 'completely
   and correctly' in the end nodes" or that "there should be no state in
   the network."  What it actually says is heavily nuanced, and is a
   line of reasoning applicable when considering any two communication
   layers.

      [Saltzer] "presents a design principle that helps guide placement
      of functions among the modules of a distributed computer system.
      The principle, called the end-to-end argument, suggests that
      functions placed at low levels of a system may be redundant or of
      little value when compared with the cost of providing them at that
      low level."

   In other words, the End-to-End Argument is not a prohibition against
   e.g. lower layer retries of transmissions, which can be important in
   certain LAN technologies, nor of the maintenance of state, nor of
   consistent policies imposed for security reasons.  It is, however, a
   plea for simplicity.  Any behavior of a lower communication layer,
   whether found in the same system as the higher layer (and especially
   application) functionality or in a different one, that from the
   perspective of a higher layer introduces inconsistency, complexity,
   or coupling extracts a cost.  That cost may be in user satisfaction,
   difficulty of management or fault diagnosis, difficulty of future
   innovation, reduced performance, or other forms.  Such costs need to
   be clearly and honestly weighed against the benefits expected, and
   used only if the benefit outweighs the cost.

   From that perspective, introduction of a policy that prevents
   communication under an understood set of circumstances, whether it is
   to prevent access to pornographic sites or prevents traffic that can
   be characterized as an attack, does not fail the End-to-End Argument;
   there are any number of possible sites on the network that are
   inaccessible at any given time, and the presence of such a policy is
   easily explained and understood.

   What does fail the End-to-End Argument is behavior that is
   intermittent, difficult to explain, or unpredictable.  If I can
   sometimes reach a site and not at other times, or reach it using this
   host or application but not another, I wonder why that is true, and
   may not even know where to look for the issue.
---- cut here ----

Thanks!

Cheers,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492