[e2e] About the primitives and their value

Pekka Nikander pekka.nikander at nomadiclab.com
Wed Aug 9 08:33:16 PDT 2006 

>>> Receivers are inherently passive. To do otherwise makes them  
>>> senders,
>>> subject to sender rules. To plug their inputs renders them deaf,  
>>> period.
>>
>> However, put the first bridge or router there, and you have to  
>> make the
>> choice of making the box fully transparent or _not_.  You can make  
>> the
>> box a "firewall", allowing the "receiver" instruct the box of what
>> information it wants to receive, by default, and what not.  Hence,  
>> once
>> you give up your fully-open network abstraction, stating that  
>> "receivers
>> are inherently passive" becomes a mere tautology.
>
> If you deploy a firewall, how does it know who to let in? It has to  
> read
> the messages it receives. You have moved the triage problem to the
> firewall, and redefined the receiver to be it.
> ...
> Now show us a place to publish that is NOT open to all incoming pub/ 
> sub
> messages. ;-)
>
> Again, all this does is move the problem - and the opportunity for  
> attack.

Sure, I completely agree.

The trick is to move the problem as close to the potential attacker  
as possible.

If we make the first active box owned by somebody else but the  
potential attacker the first "firewall", we have pretty much  
contained the problem, including most of the zombies.

The problem lies in how to distribute the "firewall information"  
within the network so that the firewall closest to the attack source  
can and will both intelligently enough filter out all or at least  
most of the unwanted traffic and pass all wanted traffic.  That  
problem, in turn, is not only a technical problem.  It is technically  
quite feasible to build a scalable pub/sub architecture, even to  
Internet sizes.  The real problem lies in the incentives: how do we  
motivate the "firewall" next to the potential attacker to take the  
burden of filtering out all traffic that does not have a known  
willing receiver.  That requires quite a lot of effort from the  
firewall side, in order to establish the needed state.  It is far  
easier just to pass everything, as long as it doesn't fill the next  
uplink.

So, at least from my point of view, the really hard problem is to  
device the new "routing" infrastructure protocols in such a way that  
the ISPs benefit from collaboratively knowing which traffic is wanted  
(by someone) and which is not.  Furthermore, such controlling  
capability must be balanced with the desired openness; i.e., we must  
not unnecessarily shift any controlling power to the networking  
elements and we must create incentive for them to still passing all  
wanted traffic without discriminating some wanted traffic against other.

--Pekka

More information about the end2end-interest mailing list