[e2e] New approach to diffserv...

[David P. Reed]

At 11:26 AM 6/16/2002 -0400, Melinda Shore wrote:
>At 11:00 AM 6/16/02 -0400, David P. Reed wrote:
> >Not true.   I think you'd find if the edges did a very simple thing 
> (encryption of all traffic), that network owners would *have* to involve 
> the edges in policy, and market forces would cause the network owners to 
> seek to please customers rather than control them.
>
>A really interesting thing is happening here.  If you talk to
>people who run enterprise networks and explain to them that
>through the use of firewalls and NATs they're interfering with
>the ability to protect application traffic, they'll tell you
>that they know that and it's part of why they do it.  They
>perceive a need to put tight controls on what goes out of their
>networks as well as what's permitted in, and it's not that
>uncommon to find businesses that even require the use of company
>proxies for outgoing ssh connections.

You are exactly right here.   Corporate networking departments are NOT 
interested in innovation.  But that doesn't mean that the corporations 
themselves are not interested in innovation.   For example, the corporate 
IT types initially resisted PCs running spreadsheets and word processors, 
because they knew it was their job to do so, and they were right.  But 
because it's their job, doesn't mean that it is strategically right for the 
company.

Ideally when confronted by novelty and innovation, the IT department SHOULD 
attempt to determine if and how it could be good for the company.   But 
they don't, and their innate conservatism leads them to be wary.   But 
giving them the tools to control the parts of their company that *actually 
create value* in their work (rather than just manage risk) is risky in itself.

So, for example, you find that IT departments have banned 802.11 everywhere 
in their companies.   Not because there are no benefits, but because they 
refuse to trust the users to think through the risks (which are there) in 
the context of the benefits.   A MUCH better policy is to educate the users 
on the risks of 802.11.   But to do so would require the IT department to 
point out the risks of their current security mechanisms, because they 
don't use end-to-end encryption internally to the company.   And as Jon 
Crowcroft points out, most of the losses involve internal threats, not 
external ones.   And the holy corporate firewall does nothing for the 
internal threats.


>End-to-end networking puts control into the hands of end users
>and their applications.  The people who own the networks in
>question may not, in many, many cases, think that's a good thing.

What they think is irrelevant, if it is a good thing in fact.



>Melinda