Benefits of Intermediate Network Elements like NAT, firewall, transparent cache
- NAT: private IP spaces allow protection, more hosts than available IPs
- Fiewalls prevent attacks on endhosts
- security, flexibility, convenience
- exist for a "important and permanent reason"
- 1. "Every Internet entity has a unique network-layer identifier that allows others to reach it."
- 2."Network elements should not process [the payload of IP] packets that are not addresses to them."
- "scorn" and "dismay"
- halts spread of newer protocols, P2P systems
- layer violation, rigidity in network infrastructure, may not accomodate new traffic classes
- implement intermediaries without violating principles
- Extra DOA Header between IP and TCP
- Firewall does not need to be in the "physical path", but hosts can "outsource" to "off-path" hosts, end host has primitive to choose a machine to delegate NAT or Firewall functionality to
- DOA header has: 1. references to persistent host identifier (in globally flat name space, stays with host even when IP changes), 2. a way to resolve these references to delegated machine
- does not reqires change to IP (routers), allows incremental deployment
- but cannot: circumvent tenet-violating middleboxes (e.g. by censorious government)
- persistent host identifier= EID (endpoint identifier) is 160 bit, contains cryptographic meaning
- mapping service: EID -> IP of delegated host, more EIDs (to chain several intermediares, loose source-routing)
1 comment:
I always like the format you use for these comments! Any thoughts on whether the idea of outsourcing middlebox functions makes any sense?
Post a Comment