Middleboxes vs. the Internet's End-to-End Principle

arglebargle_xiv writes "The Internet was designed around the end-to-end principle, which says that functionality should be provided by end hosts rather than in the network itself. A new study of the effect of vast numbers of middleboxes on the Internet (PDF) indicates that this is no longer the case, since far too many devices on the Internet interfere with traffic in some way. This has serious implications for network (protocol) neutrality (as well as future IPv6 deployment) since only the particular variations of TCP that they know about will pass through them."

What

[atari2600a]

So no more routers & switches? I mean I see where this is coming from, all these proxies & DNS filters & whatnot, but until a true viable p2p DNS alternative comes around & gets adopted by at least 10% of the connected world or governing bodies...

Re:What

[atari2600a]

Either way I suppose that has absolutely nothing to do with TCP, I'll be sure to bookmark the report & read it on an off day.

Re:What

[martin-boundary]

Routers and switches operate at a lower level in the stack. The end-to-end principle is about user apps, and it makes A LOT of sense.

Basically, whenever the pipes become smart, things overall become less reliable. It's simple math. Add one component along a network path, and now every app that uses the path may have to be fixed to cope with the new behaviour on that path. For example, if your ISP adds an HTTP filter, every app using HTTP is at risk of breaking the next day.

With end-to-end, the only correct place to put the new functionality (HTTP filtering in this example) is at an end, namely as a process on a user's computer. Now, the simple math works out: the user is filtered (same outcome as above), but the pipes are dumb and the only thing breaking due to the filter are programs on that user's computer. Everybody else's software works fine just as before.

Re:What

[atari2600a]

I'm afraid I haven't read up on TCP/IP in a while, but doesn't every device modify the header of every packet while sending it downstream?

Re:What

No, because of the layered OSI model. Every (intermediate) device strips off the outermost header, processes it and then adds its own. It should not modify anything in the encapsulated packet. NAT is the usual exception to the rule, because it rewrites the layer 3 (transport) headers while operating on a level 2 (link) layer.

Re:What

[kasperd]

I'm afraid I haven't read up on TCP/IP in a while

Even the term TCP/IP in itself is misleading. TCP and IP are two separate protocols. TCP is designed to be run on top of IP, and TCP does have some knowledge of the underlying protocol (a bit too much some would say). IP on the other hand has no knowledge of TCP. The IP header contains an 8 bit protocol field, so you can in principle run 256 different protocols on top of it (some values are reserved, and not all the other values are assigned yet). An implementation of IP does not have to implement all the higher level protocols, in fact only ICMP is mandatory.

A router is supposed to work on the IP layer. A router should not know about TCP, and it shouldn't care what protocols are run over it. In practice routers do tend to have TCP and UDP implementations as well. They have TCP because that is what is typically used to configure the routers, and BGP is run over TCP as well. And in some cases you may want to do DNS lookups, and for that you want UDP.

When you build a router you have to keep the right layering. The low level should do routing and not care about UDP and TCP. The next level can do TCP and UDP, and on high end routers the separation should be to the point where this is even implemented by a different piece of hardware from the one that does the routing. The next level up the stack can handle configuration and routing protocols. This layer can then push updated routing tables to the actual hardware doing the routing. If the different pieces stick to their area of responsibility, things will work out. All of those higher levels could in principle be implemented by a computer next to the router and leave the router to do only routing.

Some routers have features to interpret higher level protocol headers such as UDP and TCP and mangle them. Once it starts doing that, it is no longer a correct implementation of IP according to the original spec. The network is supposed to get the higher level payload from source to destination without mangling it. The network as it looks today fails at that task.

but doesn't every device modify the header of every packet while sending it downstream?

Routers do. They have to decrement the TTL, and in case of IPv4 adjust the header checksum. But most of the other fields in the IP header are read-only for the routers, and the higher level protocol headers such as UDP and TCP are totally off-limits.

Re:What

[smash]

Exactly. End-to-end as a mandatory access scenario is for GNU hippies like RMS who believe in unicorns and that everybody should hold hands an sing.

The ABILITY to do end to end transit when both parties agree to such is a very good thing to have, yes - but to assume that end-to-end should always work in the real world where we have assholes out there who want to rip you off (money, cpu, bandwidth, etc) and basically fuck you over is never going to be realistic.

Re:What

[smash]

Thing is, network owners WANT to be able to control what their network is being used for. If you're a carrier and simply just sell pipes, sure - open access from point to point. CHarge by the gig, whatever.

If you're an endpoint, you sure as shit want to make sure that only the traffic you want reaching your devices is actually allowed through.

Re:What

[definate]

And that's really annoying for end users. I'm on an ISP that does transparent proxying of some sources, like Wikipedia. Every now and then it stuffs up, and I suddenly can't access Wikipedia, or I suddenly get strange "functionality" that other people don't.

Re:What

[jd2112]

But, but, but... Piracy!

No, I mean Child Molesters and Terrorists! Think of the children!

this message brought to you by the MPAA, RIAA, and BSA.

Re:What

There is a viable p2p DNS alternative. It's your hosts file. Nothing stopping people from trading around hosts files instead of using DNS.

Re:What

[Whatsmynickname]

In addition to the security, doesn't end-to-end assume both endpoints have a decent connection? Would, for example, I want to have hundreds of thousands of requests hitting my mobile phone linked via a crappy cell tower? What about Web 2.0 servers which have millions of hits; don't they have layers of middleware routing all the traffic? What about the Slashdotting effect, wouldn't I want some middleware to handle traffic?

Re:What

Exactly. End-to-end as a mandatory access scenario is for GNU hippies like RMS who believe in unicorns and that everybody should hold hands an sing.

The ABILITY to do end to end transit when both parties agree to such is a very good thing to have, yes - but to assume that end-to-end should always work in the real world where we have assholes out there who want to rip you off (money, cpu, bandwidth, etc) and basically fuck you over is never going to be realistic.

So... people should be free to choose whether they want to allow incoming connections on a case by case basis but end-to-end is a terrible idea?
I find it difficult to believe that you can have such a low UID yet not understand the inherent contradiction between placing incoming connections in the hands of a third party who probably doesn't give a shit whilst somehow also reserving control of incoming connections to yourself. Either the net is end-to-end or it isn't.

(Hint: Hosts which filter with firewalls ARE still end-to-end, the packet got to the firewalled computer and once that happens the computer is free to do whatever the hell it likes with it, including ignore it. It just has to actually GET there which is what the middle-boxes are screwing with)

Re:What

[Phreakiture]

So no more routers & switches?

Switches, sure. Routers, maybe. Proxies, however, no. I think that's the gist of it.

Not sure I agree that these things should go away, but the point that they alter the way things work is true, especially given that this is the point of their existence. The trick is to cause them to exist in a non-intrusive manner. This is where things often fail.

At home, I have a wireless network which is mostly transparent (which doesn't mean open . . . it is secured). NAT is involved, of course, and there is available (but not required) a web proxy and there is a DNS proxy which is required. These are, of course, performance enhancers. The web proxy caches content locally, and the DNS proxy caches DNS requests and also provides local DNS.

Meanwhile, at my workplace, we have a wireless network for guest and employee use (using it right now), which pushes all web content through a filtering proxy (may be monitored, too, don't know; I generally assume and act as though it were) and prohibits outbound connections on all but a handful of ports (used for http, https, smtp, pop, imap).

Going further, a cafe near here has free wireless access. After clicking through, you can only use port 80, period. It sucks very much bad.

The first example is an example of the middleboxes not hosing things up; the second is of them being annoying; the last of them being waaaaaay overboard.

Incidentally, I have also seen one in the opposite extreme: My doctor's office has a wireless network that consists of two components: a Linksys router and a cable modem. It is as open as it gets.

Now, of course, there will be those who (rightly) point out the private property element of the examples I just gave, but these are just that: examples. Where it starts to get iffy is when you take these differing paradigms and move them into the realm of what the ISP is doing. If the only broadband provider in an area is phucking around with the connectivity, it has the potential of breaking something, and I think that's really the main point here.

Re:What

But so how do you expect us then, to check on everybody's packets to check if they are.... uhm, ehem, .. ah! ... downloading child porn?

Thanks,

**AA & NSA.

Re:What

[fudoniten]

That's why it's called the end-to-end principle. It doesn't mean that nothing should ever, ever modify a packet on the network. But, end-to-end communication with functionality pushed to the edges is an ideal for which to strive. The fact that almost any two hosts on the Internet are able to communicate (after jumping through some stupid and mostly unnecessary hoops) is evidence that some people out there still consider it a solid principle. Just because you cannot hit the platonic ideal doesn't mean you should scrap the whole notion. It's fundamental to the Internet. IP is built on end-to-end principles, it doesn't give a shit what it carries, it's simple and dumb, so it's working perfectly today, decades after it was created. The farther we stray from the principle, the worse things get; firewalls, gateways, NATs and proxies have forced most traffic to masquerade as HTTP. Is that a good thing? Is that safer, or smarter?

So, yes, there are cases where you want a bit of intelligence in the network to stop a DDoS. You also need routers to route packets. That doesn't invalidate the whole idea, unless you're a literal-minded idiot.

Re:What

[smash]

I do this network shit for a living. I'm aware of what I'm talking about, perhaps you misunderstood my point.

Re:What

Oy, atari2600a, you mentioned 'p2p' and 'governing bodies' in the same sentence... almost implying that they can coexist...

repaly

[coniefoxdrerss]

Yes, this device always influence the sign of the internet.

Internet with middle boxes like sex with a condom

[Chrisq]

Internet with middle boxes like sex with a condom. It somehow doesn't feel right and is less satisfying but can protect you from some nasty stuff.

Too true

[ShooterNeo]

I just moved into an apartment with internet provided by ethernet jacks in the walls. The actual architecture is a major ISP has set up their own routers somewhere, putting me permanently behind a NAT. I cannot open a single port, so no incoming connections can ever reach my computers without one of my machines sending a packet out first.

This has SIGNIFICANT advantages : most worms cannot spread because my computers cannot receive a packet from any machine without software on my machine actively establishing a connection first. No exceptions. It means that bittorrents and other P2P software barely work at all. And so on.

For the ISP, this is ideal. And, the ISP offers unheard of speeds in this restricted setup. 4meg upload/4 meg download is free with the apartment rent, and for $40 a month they'll give me 50 meg upload 50 meg download. For a USA ISP, that is crazy fast...but the limitations make the high upload close to useless.

And, the other interesting thing is that nearly everything I've ever done on the internet still works. My computer is unable to communicate with anyone without the help of a server and is a permanent client, but in today's world that's the norm.

Re:Too true

With the exception of the incredible speeds, I suspect this is a sign of things to come.

Re:Too true

[adolf]

most worms cannot spread because my computers cannot receive a packet from any machine without software on my machine actively establishing a connection first. No exceptions.

No exceptions, except for laptops, netbooks, and other various-and-sundry gear which travels between networks.

Your walled garden may, indeed, have walls. But it also has unguarded gates through which anything may pass.

Re:Too true

[icebraining]

Do most worms actually infect home machines by direct connection? WTF is running on people's machines to allow that?

Personally, I'll refuse any NATed connection if only on principle. Censorship evading technologies like Tor and Freenet depend on people being able to connect directly to each other. That turns the 'net into TV.

Re:Too true

[ShooterNeo]

I'm not sure if the machines inside the walled garden can talk to each other, either. I don't think that they can. (unless I put several of my own computers on the same switch, I don't think they can see each other)

Please understand...I hate this architecture and I think it stinks, but I can see why the ISP is doing it this way.

Re:Too true

[adolf]

I'm not sure if the machines inside the walled garden can talk to each other, either.

There's no reason to be unsure.

Just fire up nmap or Netscan and have a peek.

Re:Too true

[AtomicJake]

Do most worms actually infect home machines by direct connection? WTF is running on people's machines to allow that?

Yes. Otherwise it would be a virus and not a worm. And what to run to allow that: e.g. XP before SP2 without a good firewall (remember "slammer"?). Or Linux with an old and unpached Apache. You would be amazed how many old installations are out there, which are not up-to-date.

Personally, I'll refuse any NATed connection if only on principle. Censorship evading technologies like Tor and Freenet depend on people being able to connect directly to each other. That turns the 'net into TV.

I understand the reasoning, but you still need a good firewall. Most people use NAT as a means as a firewall. And, of course, if you have a DSL connection at home, you need a NAT, unless you've found a provider that gives you enough IP addresses for all of your devices (or you have only one device).

Re:Too true

[jimicus]

Windows XP pre-SP2 didn't have any sort of firewall and opened up all sorts of things by default; most ISPs shipped you a USB ADSL/cable modem and explicitly told you not to use a firewall or they wouldn't support you. Lots of things at the time therefore did spread in exactly that fashion; the only sensible option was to tell your ISP to go to hell and install a router with a firewall or a third-party software firewall.

That said, I'd be surprised if any common malware written in the last 5 years had that as its only infection vector.

Re:Too true

[icebraining]

And what to run to allow that: e.g. XP before SP2 without a good firewall (remember "slammer"?).

Oh sure, but XP pre SP2 installations should be a small number by now, no? I wouldn't expect current Windows to fall if not behind NAT, so I don't see the 'great advantages' parent talked about.

I understand the reasoning, but you still need a good firewall. Most people use NAT as a means as a firewall. And, of course, if you have a DSL connection at home, you need a NAT, unless you've found a provider that gives you enough IP addresses for all of your devices (or you have only one device).

Sure, but that's completely different, because I can control that firewall and NAT (including using automated mechanisms like uPnP).

Re:Too true

With the exception of the incredible speeds and the cheap price, I suspect this is a sign of things to come.

FTFY

Re:Too true

[definate]

Wow, that sounds like hell to me. I wouldn't be able to access most the services I run.

Also, what worm, made since Windows XP upgraded it's firewall to "barely functional", still relies on direct connections? I call bullshit. That's not a feature. Almost all of them, to get around the advent of NAT and firewalls, call out to a command server. Often encrypted traffic too. So, while you say "most worms", you actually mean "few worms", since most worms have multiple attack method (well, the major ones do), and some of those methods, are passive, such as infecting websites, flash drives, emails, etc.

The only feature, is that it makes BitTorrent and other P2P more annoying to deal with, but doesn't stop them. This is more a feature for the ISP, and is likely how they can afford to offer these faster connections for the lower price... because using your connection, is hard.

Re:Too true

[fa2k]

You don't *need* a good firewall. A firewall is meant to give an extra layer of good security, but it is used in 90 % of the cases as a quick fix for configuration errors. OSes need to close off unnecessary services anyway, because people take laptops to all kinds of scary places. The IP stack is not inherently insecure. It doesn't harm you if your machine sends a TCP RST packet or an ICMP unreachable when something tries to connect. If only people could make transport mode IPSec easy, we could have a "local" net that worked from anywhere, the "firewall" would be strong encryption.

Re:Too true

[vlm]

My computer is unable to communicate with anyone without the help of a server and is a permanent client, but in today's world that's the norm.

Note that server can be your server, not someone elses server.

You're about 15 minutes of work away from signing up for a virtual host (I am a happy linode customer) and set up a bridging VPN to the vhost and you're live on the air with a static public address. Or NAT as you please from that public addrs into your internal LAN (thats what I do)

This has the other interesting side effect of your ip address being as stable as the vhost side can make it... you might have the same addrs for a decade. This is much nicer than the "every time you reboot, your cablemodem gets a new address, so you have to update all your DNS or get dynamic DNS working which in the past required sacrifice of a chicken and at least a six pack of beer.

Make sure to hire the vhost in a country you want... That way you control geolocated IP services instead of them controlling you. Get a vhost in the UK if you want free BBC stuff; get a vhost in the USA if you want ... i donnu, to be monitored by the NSA or whatever. You get the idea.

Also the virtual host is a nice place for a vanity web host, vanity email server, a tor proxy (inbound just for you, or transit only, or if you want the headache allow public outbound). Or a torrent web downloader client thingy. Or set up a ftp daemon, some SSH keys and rsync/unison and call it your "dropbox clone". Or a I2P and freenet "host" much like the tor proxy above.

You can have all kinds of cheap fun with a virtual host in the country of your choice.

We are rapidly approaching the point where all TCP / UDP / whatever-P connections will be running over dynamically configured VPNs or at least SSL, to avoid the brain damage of middleboxes. You may as well get used to the idea now, and get some experience with running everything over VPNs.

Re:Too true

[vlm]

I'm not sure if the machines inside the walled garden can talk to each other, either.

There's no reason to be unsure.

Just fire up nmap or Netscan and have a peek.

Old school, but works. New school is just fire up your bonjour / zeroconf / whatever its called now client and see if its full of other peoples printers, desktops, and airport-extreme type devices.

Of course a dumb enough admin might filter JUST mdns and forget to filter the actual services, so it's still worthwhile to nmap.

Re:Too true

[dasherjan]

I'm not sure if the machines inside the walled garden can talk to each other, either. I don't think that they can. (unless I put several of my own computers on the same switch, I don't think they can see each other)

Please understand...I hate this architecture and I think it stinks, but I can see why the ISP is doing it this way.

As netadmin who works for an ISP. I understand why they're doing it that way as well. I don't thank that user's should let us get away with it though.

Re:Too true

[dasherjan]

I think the poster was refering to worms that go for open shares. I have no idea what the percentage of worms do that though.

Re:Too true

What you're describing is a "stateful firewall" and it doesn't require nat at all.

The basic rule is "allow in to out" and "allow out to in if established" and "deny all"

NAT is just a hack that doesn't offer any extra security.

Re:Too true

[Cato]

The ethernet jack and high speed is nothing to do with the NAT. This sounds like a new apartment building with Fibre To The Building (FTTB), hence the high symmetric bandwidth of 50 Mbps.

This can be done at layer 2 providing an Ethernet demarcation point as the service to the end user (you), or it can be done at Layer 3 (IP) without NAT, or Layer 3 with NAT.

Unfortunately your ISP doesn't have enough IPv4 space left to do layer 3 without NAT, and since it's an ISP it needs to provide layer 3 somewhere. However there are plenty of FTTB/FTTH deployments that don't impose NAT at the provider side.

Re:Too true

NAT is evil because it introduces a new, unnecessary way to prevent access to internal networks, and along the way introduces new problems that have to be solved.

Option A: install a conventional firewall. Problem solved.

Option B: introduce a NAT box, which breaks the end-to-end principle by creating an intermediary machine, requires new and different techniques for NAT punch-through, most of which are infested with version and implementation differences. New problems created.

Re:Too true

[ShooterNeo]

Ok, I was trying to google for how to do this. I can't even find the right search phrase - I either get a blizzard of results related to VPNs for a business or a blizzard of results related to people wanting slow and crummy free proxy servers to go to restricted websites.

As I understand it, with a virtual host I am limited by the upload speed of that host, right? So if I wanted to have a full 50mbps connection to the outside world that I can receive incoming connections to, I would need a virtual host that has 50 megabit upload and a big enough bandwidth allocation to make use of it?

Right now, I pay $40/month for my minecraft server because I didn't have a fast enough upload where I used to live.

Re:Too true

[ShooterNeo]

Ok, I looked at Linode. TRANSFER LIMITS. Their $40/month plan is limited to 400 gigabytes/month. So if I'm using a program running on a linode box to act as my proxy to the outside world, giving me a publicly accessible IP, I can't transfer very much data.

I have an Into VPS account which for that price has a 2000 gigabyte monthly limit. Currently I run a minecraft server but I suppose I could set the machine up as my proxy to allow me to play multiplayer games that have port forwarding problems. This just seems like a really kludgey way to do it...surely there are proxy services out there that use dedicated ASICs for the proxy routing.

Re:Too true

Bittorrent and p2p will work just fine using this setup. You just have to know how to do. My old uni had a similar setup and I could upload at 350+KB/s (yes, bytes) and download anything I wanted via bittorrent. My uni also actively sought to block bittorrent and would nuke your connection after you used 10GB of data transfer (the solution was to change your mac address). A lot of my friends had no idea how to set up their clients though and would just give up, until they came and talked to me that is.

Re:Internet with middle boxes like sex with a cond

[KiloByte]

... and they give me an allergy. And like in your analogy, you lose a lot if you can't do it directly.

Re:Internet with middle boxes like sex with a cond

[ciderbrew]

And the most lost on the most people at once analogy award goes to...

Re:Internet with middle boxes like sex with a cond

[jamesh]

And the most lost on the most people at once analogy award goes to...

http://en.wikipedia.org/wiki/Condom for anyone who doesn't know. If only i'd known before my 4 kids were born... (hi kids, if you're reading this!)

This is a surprise?

[cardpuncher]

Most of the "routers" (which are really a cross between transport-level and application-level gateways) supplied to domestic customers aren't even capable of the full gamut of IPv4 features: no real hope of extending TCP, transport protocols other than TCP or IPv6.

TCP/IPv4 is now a living fossil and will persist in its present form as an ISP access protocol, ironically filling exactly the same function that X.25 (so much derided by Internet professionals at the time because it wasn't end-to-end) was designed to provide. Big ISPs have the same business model as the old telcos (and indeed may be the same business) and they need to control access to their network and bill for it. They can't do that without "middleboxes" of some kind. End-to-end was only ever really feasible for closed-user-group networks paid for by third parties.

On the plus side, a more capable "middlebox" would allow you to negotiate classes of service with your ISP which might obviate the need for the ISP to randomly traffic shape in ways that suit noone.

Re:This is a surprise?

[arglebargle_xiv]

TCP/IPv4 is now a living fossil and will persist in its present form as an ISP access protocol, ironically filling exactly the same function that X.25 (so much derided by Internet professionals at the time because it wasn't end-to-end) was designed to provide.

The reason why most people derided X.25 wasn't because of any ideological issues, but simply because it sucked so much. I've worked with a huge range of networking technology (everything from Trailblazers over noisy phone lines in China to OC-xx's) and X.25 was by far the most painful technology I've ever dealt with. The worst part was that even if you managed to get the link up, because of all the stoopid^H^H^Hintelligence built into the network, it failed with 100% reliability. In other words all the handshakes were exchanged, checksums were OK, and half your packets fell on the floor somewhere because some PAD decided to drop them while at the same time running all the X.25 signalling to say everything was fine.

Excessive use of middleboxes really is a bit like X.25 (only a bit, because I've never seen a middlebox situation as bad as an X.25 network), the network is free to fsck with your packets in any way it pleases and the only mitigation you've got is to keep frobbing random options until you finally figure out what you need to tweak to get things to start working.

(With X.25, two-week outages weren't unheard of, that being the time it took until numerous network users managed to triangulate the PAD that was randomly misdirecting traffic while telling the rest of the network that everything was OK).

Re:Internet with middle boxes like sex with a cond

[1s44c]

I can't find a mod for '-1 You What?' so I decided to reply instead.

You can't have seriously got to the age of 16 and not known what a condom is? Were you educated by religious nutcases who never let you have any contact with the world?

I'm posting this Anonymously so I can mod anyone who replies with 'whoosh' as a troll. 'Whoosh' was never funny.

Re:Internet with middle boxes like sex with a cond

[1s44c]

I'm posting this Anonymously so I can mod anyone who replies with 'whoosh' as a troll. 'Whoosh' was never funny.

I messed that up.

Re:Internet with middle boxes like sex with a cond

[rts008]

I am only replying to correct a modding mistake.
I tried to mod you +1 Interesting, but somehow it ended -1 Troll.
My apologies, truly.

The 'Wild, Wild West' days of the Internet lasted much shorter than the expanding of the US frontier(west).
It would be interesting to see what could have came about on this digital frontier. *sigh*

Nowadays, governments see revenue and influence as possibilities, mega-corps/industries with money/political influence see dollar signs, ad nauseum, until the commercialism and gov't. regulation are inevitable.

Enjoy what internet freedoms exist now, fight against change to the best of your abilities/means, try to influence others....but prepare for the worse case scenario.
Well, that's my plan, YMMV.
I don't see it improving, just getting worse.

BTW, for the Trolls, I am not against commercial or political USE of the internet, I am against control and most regulation of it.

Use a VPN service

I agree with the posters that this architecture is a sign of things to come. The famous John Walker cited this architectural change as the main reason he discontinued work on Speak Freely, back in 2004. Note it is possible to 'fix' the architecture by setting up a VPN connection to a real IP address. There are various hosting companies that offer this service. This would allow you to e.g. run a network game server, receive telephony calls without a NAT traversal scheme, et cetera.

Re:Internet with middle boxes like sex with a cond

[Chrisq]

I can't find a mod for '-1 You What?' so I decided to reply instead.

You can't have seriously got to the age of 16 and not known what a condom is? Were you educated by religious nutcases who never let you have any contact with the world?

I'm posting this Anonymously so I can mod anyone who replies with 'whoosh' as a troll. 'Whoosh' was never funny.

Diagnosis: anally retentive.

What

[ledow]

The "end-to-end" nature of the Internet ended with the first firewall. Not to mention NAT, proxies, etc. To get to the point where I have a transparent squid proxy protecting my workplace (a school) is only a teensy, tiny step.

"End-to-end" is a pipedream and can't possibly work because of the sheer security and scale of such a network (i.e. there would be nobody on the path able to stop a DDoS against you!). It wouldn't work, and that's why other solutions exist.

Hell, virtually every device ever sold that handles IP traffic modifies it in some way that defeats this "end-to-end" crap. They have firewalls. They may offer NAT. They might offer ping-blocking. Hell, the first thing any decent firewall does is turn off most of the unsolicited packet access that it receives, whether that be ICMP messages, or packets with fake origin. Without that, you'd have chaos.

news flash

[smash]

old devices need upgrading for ipv6. including: desktops, routers and.... *gasp* firewalls.

Re:Internet with middle boxes like sex with a cond

[Whalou]

And just like condoms, sometimes you can't accomplish your goal if you them.

I think you accidentally the verb.

TCPv6: any changes possible?

Yeah, when they were treated as one protocol, it was before either OSI or the the 4-layered models existed. Ever since IPv4, they've been separate.

But if they're going to overhaul TCP, that would have to wait. If it were piggybacked on the IPv4-v6 migration, then that would introduce even more unknown variables and further delay the migration. I'd say this team missed the bus - TCP already underwent a minor change for IPv6 by the introduction of jumbograms, and the setting of maximum payload sizes to 65535 bytes. That was the time any of the modifications suggested in this paper should have been incorporated - it would probably have been thoroughly tested by 6bone and other such experiments, and been ready for prime time today.

Maybe it's not too late - since the bulk of initial IPv6 traffic would probably be on Teredo, which is an UDP based implementation, maybe the suggested extension of TCP using its various options can still happen, and be rolled out w/ TCP/IPv6 on Dual-Stack Lite and later plain IPv6 connections.

By middleboxes, I got the impression that they're looking @ various transition points for whether any packets are added on in the path. Only such devices they have in mind are NAT boxes, from what I gathered: middle boxes didn't seem to mean routers, internet gateways, or other intermediary equipment that doesn't much around w/ the contents of their outermost packets.

Re:TCPv6: any changes possible?

TCP already underwent a minor change for IPv6 by the introduction of jumbograms

But you only have to implement that if it is to run on hosts directly connected to a link with an MTU of more than 64KB. Since most links still have a 1500 byte MTU, the jumbograms are of no significant to the majority of the net. Another change that is relevant to all implementations is that the pseudoheader was changed from using IPv4 addresses to use IPv6 addresses.

UDP was also changed a little bit. On IPv4 checksumming of UDP packets was optional. On IPv6 checksumming of UDP packets is mandatory.

Re:TCPv6: any changes possible?

[lamber45]

If you read the original article, they say that middleboxes actually do behave for at least 80% of the connections they tested (at least 90% when going to a random high port on the server, not port 80). The other 20% can be detected by the fact that they don't pass new TCP options on the initial SYN packets, and so an extension can fall back to "plain vanilla" TCP if appropriate. Hence, the following two extensions should actually work widely (although not universally) on the current Internet:

• Multipath TCP (Internet draft). This should allow load-balancing or failover between two hosts where at least one has multiple IP addresses (is multi-homed), including the case where one end has and IPv4 and and IPv6 address or has multiple IPv6 addresses from multiple networks (including, for example, 6to4 and Teredo).
• TCP Crypto (Internet draft). A way to encrypt the TCP stream, not as an application running over TCP (as is SSL) but as an option in TCP itself. Redundant if either every protocol is SSL-ized or if IPsec is universally deployed, but perhaps useful at present.

These extensions are deployable now, on TCP/IPv4 and TCP/IPv6 equally. (There is no "TCPv6". RFC 1705 mentions TCPv6, but that was only an "informational" memo written when people were still talking about "IPng".)

Re:Internet with middle boxes like sex with a cond

[PopeRatzo]

It somehow doesn't feel right and is less satisfying but can protect you from some nasty stuff.

But "nasty stuff" is the reason most people go on the Internet.

End to end or death

It's funny reading all these comments here where people assume a firewall, NAT or packet-filtering is a "cure-all" for improperly written programs that accept incoming network connections. If you continue to allow a program that has a network-related vulnerability to run on a system of yours, that is your fault and not the network's fault. Programs with bugs should be fixed. Where they can't be fixed because the company is out of business or only releases patches once a month, you should stop using that company's program and find something else that is less buggy. If you don't know how to configure a program to be secure and not accept incoming requests from anyone, you shouldn't be using that program.

If you are forced to use improperly configured or buggy programs, then the issue is not a network issue but something else.

End to end is a nice thing. It allows me to get to my files without having to pay a third party to run a properly updated and configured system which I already know how to do. It allows me to provide services to others without needing to go through a third party, which I think I should have the right to do without having to pay an intermediary. It allows groups of people to pool together and make resources available to many others without needing energy-hungry, expensive, and centralized data centers.

making clients fo msot of the work of encrypting

[throwaway18]

From the report

TcpCrypt was motivated by the observation that server computing power is the performance bottleneck. To make ubiquitous encryption possible, highly asymmetric public key operations are arranged so that the expensive work is performed by the client which does not need to handle high connection setup rates. This is in contrast to SSL/TLS where the server does more work.

I think thats a really insightful observation. I'd really like a new version of the HTTPS that takes away the most common objection to using it by making the client do most of the work. Most computers being used for web browsing have processor time to spare, not sure about smartphones though.

Re:Whoosh

[1s44c]

Whoosh

Don't try to battle slashdot memes. You will lose.

'In soviet russia...' is a meme, 'correlation != causation' is a meme. Even goatse links, GNAA posts, or the posts that say 'here is a link to a nice mirror' and it's actually a link to a picture of a mirror make better memes than 'Whoosh'.

'Whoosh' is just one meaningless word repeated over and over. It's basicly nyan cat without the funky music or retro animation. It's a nothing-meme.

Confusion

[LoudMusic]

There seems to be confusion in what 'middleboxes' are. I don't believe this term refers to firewalls and NATing devices. It would seem to mean something more like a device that augments the data as it's passing it. Like a web filter that edits HTML on the fly to add, remove, or replace ads. Or an SMTP monitor that captures emails and includes some additional data as its being relayed. Or the Comcast DNS servers that can give you non-authoritative responses sending you to the destination of THEIR choice.

Firewalls aren't middleboxes. They just kill connections (as a basic firewall - clearly more complex firewalls can do greater tasks).

Re:Confusion

[jgrahn]

There seems to be confusion in what 'middleboxes' are. I don't believe this term refers to firewalls and NATing devices.

It *does* include those. They define it on page 1 of TFA: "... an invasion of middleboxes that *do* care about what the packets contain, and perform processing at layer 4 or higher *within* the network."

They have to define it that way, because they want the freedom to use IP (the Internet Protocol) between hosts A and B, over the internet. Not unreasonable, I think.

Re:Whoosh

[2names]

It's a NOME!

Re:Internet with middle boxes like sex with a cond

[Haedrian]

I think more on the lines of protecting your system and not protecting your sanity

Built in TCP Encryption

[Synerg1y]

TCP Encryption seems to be some of what the article is pointing at (who has time to read this theoretical white paper?) which I think is great. It's kind of implemented with https over SSL, but it's left up to the website owner to implement it at the cost of system performance.

Factor in extending TCP, I'd like to see the private / public key system implemented in TCP as a standard, rather than an overlay. There is no benevolent reason to anybody that an ISP should be monitoring their traffic (they aren't trying to speed up your network rofl). Thus, since we need to keep the internet free, etc... if all traffic was encrypted, even if it was decrypt able with gpu computing, it would still be a major step forward.

The problem lies not in the theory though, but the implementation, would be difficult to do without at least browser upgrades.

Re:making clients fo msot of the work of encryptin

[Synerg1y]

Maybe in windows....

But in linux/unix...
www.linuxsecurity.com.br/info/fw/PacketManglingwithiptables.doc

In the end the server has to generate the keys, otherwise how do you know who the client is? or for non-clients to spoof?

PGP seems faster than https though, but https is doing more that causes the overhead.

Re:Whoosh

[glodime]

Whoosh is informative.

Re:making clients fo msot of the work of encryptin

Wait, you wrote a Word doc to describe linux/unix configuration? Couldn't you just write HTML so that I could read it?

How many ISPs allow other IP protocols?

[Animats]

IP supports a large number of protocols other than TCP, UDP, and ICMP. But how many ISPs still pass them? Can you still send Xerox Network System (XNS) packets (protocol 22)? AX-25 frames (protocol 93)? QNX messaging (protocol 106)? Fibre Channel (protocol 133)? Can you change the version number on TCP (which is what the people doing the original paper should be doing when they change the protocol)?

All of these are IP, so the Internet should pass them. I've tried QNX packets, and they at least went through Linksys boxes without being lost or modified.

Re:Whoosh

[Eponymous+Hero]

Whoosh!!

whoosh means that you totally missed the point, which is why i had to whoosh you again. it is a meme, like any other in this community. for an incomplete and changing list of slashdot memes, see my sig.

Re:Internet with middle boxes like sex with a cond

[1s44c]

I can't find a mod for '-1 You What?' so I decided to reply instead.

You can't have seriously got to the age of 16 and not known what a condom is? Were you educated by religious nutcases who never let you have any contact with the world?

I'm posting this Anonymously so I can mod anyone who replies with 'whoosh' as a troll. 'Whoosh' was never funny.

Diagnosis: anally retentive.

That's not a meaningful reply. Are you objecting to the main content of my posting or my anti-whoosh rant?

Summary is confused

[Tepic++]

The original end-to-end paper argues that applications are best implemented at end points rather than in the network - the final application end points (e.g. the receiving end of file transfer) must be aware of failure modes in the network (e.g. errors, security, etc.) therefore the network can never be completely abstracted away nor can the application be mostly implemented in the network. It doesn't sound like anything has has changed today and the original paper even notes that partial optimisations (e.g. HTTP caching) can be implemented in the network. This hardly moves the application into the cache.

Sounds like the summary has conflated a narrow paper about the state of TCP with a general principle for building networked applications.

End-to-end paper: http://web.mit.edu/Saltzer/www/publications/endtoend/endtoend.pdf

End-to-end has nothing to do w/ Firewalls

You're confusing the presence of firewalls as breaking end-to-end connectivity. It is nothing of that sort. End-to-end simply means that the ultimate destination address is the same as the initial send-to address, firewall or no firewall. You would always want a firewall @ every node to make sure that there are no attacks on that node from either within or outside the network. But if the address to which someone sends you some packets is exactly where it ends, w/o being altered en route, end to end connectivity is preserved. As it is w/ IPv6, and once upon a time was w/ IPv4, but no longer is.

In other word, end to end simply means that no 'middleboxes' have to alter your destination address to ensure that your packets get to where you wanted it to go. If they're any middleboxes, all they do is authenticate the source of these packets and whether they're secure, before allowing them in.

Re:Whoosh

[1s44c]

Whoosh!!

whoosh means that you totally missed the point, which is why i had to whoosh you again. it is a meme, like any other in this community. for an incomplete and changing list of slashdot memes, see my sig.

It doesn't mean 'you missed the point' at all though. It may be meant by the people that posted it to mean that but they don't have total knowledge over all subjects any more than the person they are troll-replying to. It's a null-reply used by those that can't be bothered typing. you would be better replying 'nyan nyan nyan nyan nyan' as it conveys at least the same information and is way more funny.

I swear the average IQ dropped around here by around 50 points somewhere between the creation of ID 1000000 and ID 1500000.

Re:Whoosh

[Eponymous+Hero]

whoosh is the onomatopoeia that imitates the sound of the point being made flying quickly over your head.

It may be meant by the people that posted it to mean that but they don't have total knowledge over all subjects any more than the person they blah blah blah blah

stfu you troll. nyan (nyah)? what would really be funny is watching you finally get it.

WARNING: after hearing the whoosh sound, some victims of ignorance such as yourself suddenly receive the epiphany they were missing, and this often triggers the "facepalm" meme. please be careful when slapping your face in recognition of your own stupidity.

Re:Whoosh

[1s44c]

It's meaningless nonsense based on the flawed assumption that there is only one way to 'get it', hence the comparison with nyan cat which is also meaningless but comes with a catchy tune. You are trolling by insisting that there is more to it than total nonsense. Clearly you can't think for yourself if you repeat such rubbish just because you saw other people repeat it.

So Whoosh to you. You clearly don't get it.

Re:Whoosh

[Eponymous+Hero]

AAAAAAHHHHHHHHHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA!!!!!!!!!!!!!!!!!!!! HEHEHEHEHEHHEHEHhehehehehehehehe heheheh hehe heh. whew! that was funny! YOU, sir, are total, meaningless nonsense. the epitome of all such. does it provide meaning in your life to make "foes" on an internet forum? LMFAO!!! please don't cry, please, i don't want to have to explain this to your mother when she comes over tonight. hahahaha. fag.

look up the word MEME, retard, and then show me anything that defines a "nothing-meme." sources i'll take are wikipedia or your own bathroom mirror. you are so convinced you can change reality if you just squeeze your sphincter tight enough. little bitch.

whoosh is a meme! in this community! get over it! clearly thinking for yourself is what got you into this mess with me in the first place. if your brains were dynamite you couldn't blow the ass off a gnat. but hey it's not the end of the world if no one knows these stupid made-up terms you use, or that nobody gives a shit about your opinions of memes. nothing you could ever think up would ever become a meme. fuck, it wouldn't even qualify as a phage if you got bacteria to agree.

you're gonna go fuck yourself, and you're gonna fucking like it, bitch.

Re:Internet with middle boxes like sex with a cond

[Mr.+Jaggers]

Whoosh... ;-)

Re:Internet with middle boxes like sex with a cond

I'm posting this Anonymously so I can mod anyone who replies with 'whoosh' as a troll. 'Whoosh' was never funny.

Perhaps that is because you don't have a sense of humour, if you did you wouldn't have missed the obvious joke you replied to. Even if he didn't know what a condom was before his first kid, he certainly would have found out about it afterwards before his second (unless they were all conceived within a few months of each other), so yeah, it was a pretty obvious joke.

Re:Whoosh

[1s44c]

Tagging you as foe puts a red dot next to your name. I use this to tag microsoft marketers, GNAA trolls ( who rarely use the same ID anyway ), and people of sub-normal intelligence like yourself. I'd rather block all ID's over about a million but there isn't a good way to do this.

As for your page long rant above I gave up halfway though the first paragraph. I guess you only wrote it for your own emotional reasons anyway.

Re:Whoosh

[Eponymous+Hero]

no, moron. seriously? you throw around words like troll and then you keep taking the bait? i'm starting to get a conscience, you're so stupid. and the real reason you gave up reading is that you don't understand any words you can't pronounce when you mouth them as you read. you're an amoeba. kill yourself. but not before you reply one more time!!!! once more!!!!!!!!!!! if you don't, you're not american and you love goatse!!!!

so long and thanks for everything, fish.