IPv6: Time to Return to the End-to-end principle?

With the advent of increasing IPv6 deployment, there are a significant number of experts who think it is time to return to the end-to-end principle for the Internet. Mr. Cheswick, tear down that firewall! Security belongs in the host, not the network, and we are losing significant opportunities for network innovation when we don't allow all machines to talk to each other.

Some have carried this longing for the Original Intent of the Internet for decades. Proxies at any level, circuit, or application, blockade new technologies. They are obstacles to progress, and to the Next Great Internet Service. And they are right. When I ran an early firewall at Bell Labs, new services were always an issue. Could the techniques I had implemented be applied to some new service? In many cases, they could, but in some, they couldn't, and the researcher and his new service ended up outside the firewall.=20

This was a tough line to walk. One doesn't want to stop innovation, especially at a research labs. On the other hand, some of these external machines were hacked, potentially exposing the company to ridicule and perhaps liability.

Now, the argument goes, hosts are much more secure. They have their own internal firewalls. They have grown callouses from years of attacks. Our systems are MacOS, Win7, and Linux, and are updated as needed. The low-hanging fruit is in the old IPv4 systems. Cast off your firewalls!

Their conclusion: we don't need firewalls any more. My instant response is that they have lost their minds, of course you still need networked firewalls for many classes of computers, and we are going to need an IPv6 version of NAT (I call it "address whitening"), as well.

Neither conclusion is necessarily correct. They both make sweeping cost/benefit analyses that cannot be properly applied en masse. There are hosts that don't need firewalls: I have run several for over 15 years. And, with care, one can run current clients somewhat safely. Malware is often invited into a machine, like Buffy's vampires. It used to get injected through weak network services, which are certainly scarcer.

But firewalls don't just keep evil out, they can help keep it from escaping. A firewall can detect and block infection probes and spam transmissions. They are also a good point for blocking some kinds of denial-of-service attacks.

And for some applications, doing without a firewall is out of the question. The people who run our military networks wouldn't think of skinny dipping on the Internet. They have shown immediate interest in IPv6 address whitening, not only for client security, but also to frustrate traffic analysis for outgoing queries. In some implementations, IPv6 even leaks MAC addresses!

So, I fear that many are well-advised to continue using firewalls. Since IPv6 deployment will require duplication of all the IPv4 firewall rules, this is a fine opportunity to rethink these rules and the role of the firewall, especially in intranet deployments. But for now, I will not be running Win7 on the open Internet.