End-to-End Arguments: Networking’s Vestigial Rule of Thumb
Micah Beck
mbeck@utk.edu
Associate Professor, University of Tennessee, Knoxville
Dec 7, 2024

The notion of an End-to-End Principle emerged as an answer to the question of why the generation of layered systems that were becoming dominant in the 1980s (notably including the Internet) were so successful. The intent was not only to explain the developments of that decade but to also act as a guide to maintaining that success and to designing future system architecture.

Attempts to state a single principle that covered many different systems and fields of application proved frustrating. But in each layered system there was a similar argument that could be applied, and they all “rhymed”. This led to the idea that there were a class of similar “end-to-end arguments” that could be applied in the different cases. The classic paper “End-to-End Arguments in System Design” by Jerry Saltzer, David Reed and David Clark sought to capture and express this overarching way of reasoning. [J. H. Saltzer, D. P. Reed, and D. D. Clark. 1984. End-to-end arguments in system design. ACM Trans. Comput. Syst. 2, 4 (Nov. 1984), 277–288]

The end-to-end arguments paper expresses a “rule of thumb” which has for decades had an outsized impact on the design of the Internet Architecture as standardized by the Internet Engineering Task Force. Stated in the paper, the test as to whether a “function” should be implemented as part of the communication layer of a system is that:

“The function in question can completely and correctly be implemented only with the knowledge and help of the application standing at the end points of the communication system. Therefore, providing that questioned function as a feature of the communication system itself is not possible. (Sometimes an incomplete version of the function provided by the communication system may be useful as a performance enhancement.)”

There are many issues which make this statement hard to evaluate and apply. Some are:

• How is a “function” of a system defined? What is the form of its specification?
• How can the “completeness and correctness” of the implementation of a function be evaluated?
• What are the end points of a communication? In networking, is it the delivery of data to a network interface card? Or is it the delivery of data to an application process? Or perhaps the sensory perception of data by an end user (e.g. visualization)?
• How can the impossibility of implementing a particular function as a feature of the communication system be determined?
• How can the utility of the implementation of an “incomplete” version of a function be evaluated?
• Do these arguments apply to components other than the communication system?

The end-to-end paper does not define these terms or provide a uniform way of making the various judgements that it calls for. Instead it offers a number of examples which are meant to illustrate the class of arguments. None of these are presented in a formal manner that allows for rigorous evaluation.

As this paper will explain, the continued influence of end-to-end arguments has contributed to the field of networking being regulated on the basis of informal interpretation and anecdotal analysis. This has in turn been a major reason for the stagnation of network architecture. Breaking from this stale orthodoxy, industry now proceeds with no real reference to understandable and reliable design principles, steered only by the market.

In the decades since the publication of the end-to-end paper, it has been interpreted in a variety of ways by its authors and others. Such interpretation has often been controversial, with different individuals reaching different conclusions. In some cases, a common interpretation of what end-to-end requires or prohibits turns out not to be at all predictive of what the networking community will accept, or how the stability and growth of the network will be impacted.

One of the most notable disagreements was over the acceptability of implementing Network Address Translation (NAT) within Internet routers to overcome the problem of IPv4 address space exhaustion. This was denounced by end-to-end purists as a development that would have a very negative impact on the stability and manageability of the Internet. Because NAT blocks peer-to-peer communication among many endpoints, it breaks the symmetry of the Internet (connectivity between any source and destination). Symmetry had traditionally been held out as a key virtue that distinguishes the Internet from many other wide area infrastructures. Some sought to tie symmetry to the appealing idea of democracy and openness within the Internet. While many find the impact of NAT on the Internet to be disturbing, the fact is that it has been widely accepted and standardized, without compromising the stability and manageability of the Internet. To the contrary, NAT is now often used even within IPv6 networks, where address exhaustion is not an issue.

In other cases, the authors of the end-to-end paper have been called on to bless the implementation within the network of functions that are actually quite complex. An important example was a paper [J. H. Saltzer, D. P. Reed, and D. D. Clark, Commentaries on Active Networking and End-To-End Argument, IEEE Network 12, 3 (May/June 1998) pages 69-71. https://web.mit.edu/saltzer/www/publications/endtoend/ANe2ecomment.pdf] authored by all three of them providing an explanation for why Active Networking, which moved the implementation of some processing to network routers, could be viewed as compatible with the teachings of the original end-to-end paper. Another is [Blumenthal, Marjory & Clark, David. (2001). Rethinking the Design of the Internet: End to End Arguments vs. the Brave New World. ACM Transactions on Internet Technology. 1. 70-109].

These commentaries provided a different view of the impact of implementing programmability within the network, focusing on the question of maintaining transparency and resilience rather than on keeping the functionality of the network as limited as possible. This has more recently been interpreted as focusing solely on interoperability rather than on simplicity and weakness, although the above-mentioned commentary does emphasize those characteristics. Various forms of Active Networking were implemented; but like so many extensions to the Internet, they were not widely adopted. Active Networking is now widely seen to have failed precisely because of the complexity and specificity of the functionality it added to the communication system.

Today, the end-to-end arguments are widely ignored in enterprise networking, and are said by some to “no longer be valid”. This is an odd claim, since if there was ever a valid reason for the arguments, then something basic must have changed to invalidate them. No such explanation is offered. Instead, industry is blithely developing solutions which can solve problems in private networks, sometimes at great expense, without regard for the appropriateness of those solutions in the public shared Internet. The idea seems to be that some of those solutions might “catch on” in spite of the protestations of the end-to-end purists, who are increasingly seen as out of touch, as was the case with NAT. The attempt at design discipline has thus been displaced by trial-and-error.

While the end-to-end arguments may be unprovable and imprecise “rules of thumb”, the continued attempt to apply them to Internet standards and system architecture has nonetheless seen considerable success. This could be coincidence, or a case of confirmation bias (ignoring contrary evidence). Or it could be that there is a valid design principle which sometimes correlates with common interpretations of end-to-end arguments, giving them continued plausibility and contributing to a culture of orthodoxy. Confirmation bias has been a factor in phenomena such as the acceptance of Astrology and belief in the healing powers of religious relics. However, many other prescientific beliefs had some correlation with valid scientific phenomena. One example was Alchemy, which benefited from its commonality with the scientifically valid field of Chemistry. Another is the administration of traditional herbal remedies, which included remedies such as aspirin, whose composition and biological effects are now much better understood.

There is a design principle - minimal sufficiency - which is “sound” in that an abstract version of it can be proved formally (the Hourglass Theorem) and which may very well explain at least some of the cases in which end-to-end arguments are considered to have been successfully applied. [Micah Beck. 2019. On the hourglass model. Commun. ACM 62, 7 (July 2019), 48–57] Minimal sufficiency diverges from the common interpretation of end-to-end arguments in some cases, such as Network Address Translation, where the latter have not proven to be predictive. One interpretation of this is that the apparent power of end-to-end arguments may lie in their approximation of the valid principle of minimal sufficiency.

The Hourglass Theorem applies to any system with three layers. The layering is assumed to be strict, meaning that the top layer is implemented using only the services of the middle one and cannot access the lower layer directly. The services of each layer are described by a formal specification, to enable us to talk about what guarantees it makes. The Hourglass Theorem states that, if we compare two such systems A and B, with the middle layer of A being weaker (making fewer guarantees) than that of B, then

• The upper layer (class of possible applications) of B contains the upper layer of A, and
• The lower layer of A (class of possible supporting implementations) of A contains that of B.

As discussed in the paper “On the Hourglass Model”, the implication of this theorem is that, given a class of “necessary applications”, choosing the middle layer that is weakest (makes the fewest guarantees) results in the largest class of possible supporting implementations. We call this the principle of minimal sufficiency. It is important to note that this principle does not apply directly to every practical scenario. One reason is that the relative strength of layer specifications is not a total order - many pairs of specifications are incomparable with respect to strength, and some are equivalent. However the effect described does seem to apply (at least approximately) in a wide variety of cases. Another reason is that the factors that determine the success of any system design is complex, and minimal sufficiency may not always be the controlling one.

It is easy to see how the application of end-to-end arguments could result in the choice of a weak middle layer when that layer is a communication system. Ruling out the implementation of complex functionality within the middle layer will tend to result in a weak middle layer. The principle of minimal sufficiency then predicts that this will result in a system which can be supported by a wide variety of implementations which will have different characteristics. This may be an important factor in the success of those systems, such as the Internet.

On the other hand, it is also easy to see that removing the guarantee of global reachability from the Internet (one important reason that NAT was thought to be a bad idea) has the effect of weakening the specification of that network. This means that an Internet that allows for NAT has a wider variety of potential implementations. This may have contributed to its widespread adoption and success of NAT, in spite of the limitations that it imposes on application architecture. The global networking community has successfully adapted to the resultant bifurcation between services that can operate within a NATed subnetwork and those that require symmetric IP routing.

End-to-end arguments are widely ignored by industry, and increasingly by developers of modern networking technologies, such as Network Function Virtualization and Remote Direct Memory Access. Trial-and-error has largely replaced attempts at formal design which seeks to maximize deployment scalability. Such unconstrained experimentation proceeds in the hope that sufficiently compelling functionality can overcome the expense and difficulty of implementation at global scale. Disillusionment with the lack of predictive power of the end-to-end arguments, which were so forcefully promoted for decades, has led to a disinclination to follow any newly proposed design principle. In spite of emerging from the classical Internet, modern enterprise network architectures (including Cloud networks) increasingly implement wide area infrastructure as a set of large, private networks rather than a single, unified and shared public one.

But end-to-end orthodoxy lives on within the network research and traditional Internet architecture communities. Today, any suggestion of an evolutionary path for Internet Architecture must deal with the question of how it can be squared with end-to-end arguments. Since there is no authoritative interpretation of those arguments, this can result in an objection by any reviewer with sufficient personal authority.

Evidence for the way that end-to-end orthodoxy makes itself felt in the network research community can be found in two recent papers.

• Together with a long list of network research luminaries, Scott Shenker has proposed Extensible Internetworking (EI), which would place new network functionality at servers positioned at the edge of the wide area network core. [Hari Balakrishnan, Sujata Banerjee, Israel Cidon, David Culler, Deborah Estrin, Ethan Katz-Bassett, Arvind Krishnamurthy, Murphy McCauley, Nick McKeown, Aurojit Panda, Sylvia Ratnasamy, Jennifer Rexford, Michael Schapira, Scott Shenker, Ion Stoica, David Tennenhouse, Amin Vahdat, and Ellen Zegura. 2021. Revitalizing the public internet by making it extensible. SIGCOMM Comput. Commun. Rev. 51, 2 (April 2021), 18–24.] A recent version of this proposal contains an extensive discussion of whether this proposal runs counter to the end-to-end arguments. The explanation of why increasing the functionality of the communication system is allowable refers to the explanation given for Active Networking (which holds that increasing network functionality is allowable if it is sufficiently uniform, and does not give rise to a lack of interoperability). It is worth remembering that Active Networking was an architectural direction that did not succeed in achieving widespread deployment.
• Jennifer Rexford (who was a coauthor of the original EI white paper) and Pamela Zave recently published a book on “The Real Architecture of the Internet”. It proposes Compositional Networking, a logical framework for describing and reasoning about the creation of services that do not correspond to the current layers of the Internet Architecture. These services are implemented within the communication system and enable with new functionality.  Like the EI paper, this book cites the end-to-end authors’ comments on Active Networking to square such generalization with the end-to-end arguments.

An anonymous reviewer of the paper “On the Hourglass” that introduced minimal sufficiency and used NAT as an example objected forcefully that “it is well known that Network Address Translation destroys end-to-end”. While that reviewer did not prevent the paper’s publication, other recent papers have failed peer review due to such objections based in orthodoxy. Objections based on end-to-end arguments are often raised in forums like the Internet Architecture Board to criticize innovative network design. Remember that the status of end-to-end arguments as scientific theory is similar to Alchemy or medical bloodletting - informal, intuitive and anecdotal. While sometimes having a loose correlation with desired outcomes, the justification for giving continued credence to end-to-end arguments is unclear.

The principle of minimal sufficiency suggests possible ways forward in the development of global shared information infrastructure which differs radically from the current network architecture. [M. Beck, "Deployment Scalability in Exposed Buffer Processing," 2020 IEEE 17th International Conference on Mobile Ad Hoc and Sensor Systems (MASS), Delhi, India, 2020, pp. 211-219] Minimal sufficiency creates a problem for end-to-end purists because it implies that success may be achieved in the further evolution of the global digital infrastructure in ways which directly contradicts the tenets of their orthodoxy.

Saying “no” is an important part of defining and defending community standards. The virtues of “simplicity” and “minimality” have been extolled by philosophers and mathematicians since Aristotle. In my time at Bell Laboratories in the 1980s, I heard stories (possibly apocryphal) about how, when application developers came to the Unix Development Group to ask for extensions to the Unix kernel, it was Ken Thompson’s job to say “no”. The Internet Architecture Board, led for decades by David Clark, similarly vetoed many proposed extensions to networking standards.

In the networking community, the end-to-end rule of thumb has been a powerful tool for saying “no”. The fact that its precise interpretation is obscure has allowed it to be used to amplify the authority of those who claim to understand it (argument from authority). The result has been to maintain a remarkable level of interoperability in the public Internet, while at the same making it increasingly less useful in the core of private networks.

Minimal sufficiency is a valid design principle that can form a common basis for reasoning about the implications of extending the functionality of standards at all layers. Wider understanding and discussion of the trade-off described by the Hourglass Theorem may help guide the creation of a more general shared wide area infrastructure that still exhibits high deployment scalability and widespread voluntary acceptance