Re: Number of Firewall/NAT Users
But you missed the point I was trying to make. in those days, the inability of the mail network (or at least parts of it) to support a single global address space was correctly recognized as a deficiency in the network - and people took action to solve the problem (notably deployng MX records). Which broke DNS. We can no longer send an email to an IP number, mainly due to this myopic choice. This choice also broke layer independency. What the heck are you talking about? Sending email to an IP address never was deprecated, and still works just fine... not that it is now or ever was widely used. Sending mail to domains with only A records works just fine also. Folks who have native IP connectivity and don't want to set up MX records don't have to do so for their servers. There was a switch from HOSTS.TXT to DNS, but this had nothing to do with MX records. And not many people miss the days when everybody needed to be in the HOSTS.TXT file in order to receive mail reliably. Yes there are broken implementations that cannot send mail to IP addresses, and cannot send mail to domains without an MX record. But they are quite clearly broken, and this is clear from both RFC 974 and the recent revision to RFC 821/974 that is now in the RFC Editor's queue. Don't confuse broken implementations with bad design decisions. It is time IMO for some at the IETF to stop pretending that the Internet can made into a homogeneous network. The Internet never has been homogeneous, and I don't know anyone who has been around IETF very long who pretends that it is. It has always, however, had some minimum standards for addressing and message format which not only allowed consenting folks to choose whatever other protocols and applications that they wanted to run, and allowed the same host and application software to be reused from anywhere in the network, and to reach well-known services from anywhere in the network. But take away that little bit of uniformity - really the minimum necessary - and all bets are off. People who use NATs - especially those using them on a large scale - are discovering this the hard way. Cooperation is not a bunch of people doing the same things at the same time, but different people doing different things at different times and places, for the same objective. Likewise, standardization is not having the same rules for all at all places but having different rules that interoperate for the same objective. The whole point of the Internet has always been to allow folks to run any of a wide variety of networked applications they wanted to run. IP is fundamentally designed to give the maximum utility and flexibility with a minimum of constraints on the networks and hosts supporting it. By contrast, while folks can clearly do whatever they like with their own networks, folks that put NATs on their networks are limiting the set of applications that they can run. Now maybe you're right that the existence of NATs is just another example of people doing what they like with their networks - just as they always have. Maybe NATs are the Internet's adolescence. But just like adolescents don't always understand the consequences of their actions, neither do the folks who install NATs on their networks. IETF cannot compel people to stop using NATs, and it shouldn't try. But it can and should develop solutions to the problems that NATs purport to solve, which work better than NAT.
RE: Number of Firewall/NAT Users
It is time IMO for some at the IETF to stop pretending that the Internet can made into a homogeneous network. It wasn't and it won't. Ip address space will continues to tighten, exponentially increasing the pain of dealing with such a small number of IPs. Then throw 200 million cell phones with their own IP, and you network everything in your house, plus all the PDA's and other gadgets coming. It is a horried idea to start setting up NATs on cell phones, on PDA's and only god knows what else we be plugged into the net (I liked the ip addressible coffee machine I saw that you could telnet into). Do you really want to put and configure a NAT in your coffee maker? As the pain of limited IP address space tightens we'll move more and more to IPv6 and it'll level itself out. While NATs *work* they are horribly inelegant. I'm very much reminded of the days when there was a PC limit of 640k RAM, and the manufacturers places all the video RAM and support stuff above 640k because "no one would ever need it". This caused huge problems for years and years as we all fought to get back to an open address space... if then...we had only just invested in a good design. As the pain of limited IP space increases, so shall we switch and NAT's will someday be no more. The question is, how much will we inflict upon ourselves in the pursuit of making NAT's work? I hope this time around we fix the problem earlier Kyle Lussier www.AutoNOC.com
test
Title: test test sorry
Re: Number of Firewall/NAT Users
o'dell's GSE draft addressed renumbering perfectly. In message 5.0.2.1.2.20010123015631.02bbba30@localhost, "David R. Conrad" typ ed: Kyle, At 03:53 AM 1/23/2001 -0500, Kyle Lussier wrote: It is a horried idea to start setting up NATs on cell phones, Hmm. We should probably tell that to the existing 17+ million users of i-Mode in Japan. Better hurry as i-Mode is moving into Europe. (I liked the ip addressible coffee machine I saw that you could telnet into). Do you really want to put and configure a NAT in your coffee maker? I would imagine that you'd have a household gateway/NAT, not a NAT on every device in your household (and I'd argue if you have to configure anything network related on your coffee maker other than perhaps its name, something is seriously wrong). As the pain of limited IP address space tightens we'll move more and more to IPv6 and it'll level itself out. IPv6 is not a magic wand. Because v6 uses provider based addressing, non-transit providers will still need to renumber in v6 as they do in v4. Renumbering can be expensive. NATs are seen by many enterprises as a way of removing the need to renumber should they change providers. Until the issue of renumbering is addressed, NATs will not go away. Rgds, -drc cheers jon
What happen to ip6.int ?
http://www.ietf.org/internet-drafts/draft-ymbk-ip6-arpa-delegation-00.txt This document discusses the need for delegation of the IP6.ARPA DNS zone, and specifies a plan for the technical operation thereof. Hello: Does anyone know what happen to ip6.int ? regards, -- Rahmat M. Samik-Ibrahim - VLSM-TJT - http://rms46.vlsm.org Gong Xi Fa Cai - Hong Bao Na Lai
Re: What happen to ip6.int ?
Nothing. IP6.INT is used for non-bitstring lables, IP6.ARPA is intended for use by bitstring lables. % % % http://www.ietf.org/internet-drafts/draft-ymbk-ip6-arpa-delegation-00.txt % This document discusses the need for delegation of the IP6.ARPA DNS % zone, and specifies a plan for the technical operation thereof. % % Hello: % % Does anyone know what happen to ip6.int ? % % regards, % % -- % Rahmat M. Samik-Ibrahim - VLSM-TJT - http://rms46.vlsm.org % Gong Xi Fa Cai - Hong Bao Na Lai % % -- --bill
Again: Number of Firewall/NAT Users
Hello, as the discussion departed from my original question to the favorite discussion on NAT/ipv6/etc architectural issues, I would like to re-raise the question: "is anyone aware of any estimations of fraction of Internet users who are behind firewalls and NATs?" Thanks, Jiri
Re: Again: Number of Firewall/NAT Users
Jiri Kuthan wrote: Hello, as the discussion departed from my original question to the favorite discussion on NAT/ipv6/etc architectural issues, I would like to re-raise the question: "is anyone aware of any estimations of fraction of Internet users who are behind firewalls and NATs?" Before it goes off into DNS name administration: None that I've heard of. From the perspective of those inside the NAT firewall, the fact that outside world can't tell the size of the hidden network is an advantage. One could ask a sample of administrators and extrapolate the results but, again, the problem becomes how confident you could be of the results if you don't get a very significant response rate (I tried something like this a number of years ago when attempting to estimate the proportion of assigned IPv4 addresses were actually being used: expect a healthy degree of skepticism if the queries are coming out of the blue). Even if that were possible or in a world without NATs, though: are you assuming a 1:1 mapping between IP addresses and 'users'? Between mainframes in one direction and folks surrounded by multiple machines in the other, which way do you go? Is there a 'user' associated with a web server; if so, what if you've got a load balancer in front? -- Frank
Re: Again: Number of Firewall/NAT Users
At 12:10 PM -0500 1/23/01, Frank Solensky wrote: One could ask a sample of administrators and extrapolate the results but, again, the problem becomes how confident you could be of the results if you don't get a very significant response rate The problem is *much* worse than that. You have to be confident that your sampling method actually reflects enough of the Internet to be valid. Determining how you have reached a valid sample of administrators would be an interesting problem. Further, it is safe to assume that administrators for the largest networks are the least likely to reply, or to reply accurately. And then there is the problem of assuming that they understand your question, and can even count the systems on their networks well enough to answer accurately... --Paul Hoffman, Director --Internet Mail Consortium
Re: What happen to ip6.int ?
% % IP6.INT is used for non-bitstring lables, IP6.ARPA is intended % for use by bitstring lables. % % not exactly. ip6.int is deprecated for any use as soon as ip6.arpa is % delegated. % % randy % Tell that to hundreds of thousands of deployed resolvers. -- --bill
Re: Again: Number of Firewall/NAT Users
Exactly. More or less by definition, since NATs and firewalls hide stuff, we can't possibly measure the stuff they hide. And since they are hiding stuff for good reason, administrators more or less by definition will not answer accurately. So it can't be measured. My hand waving estimate is that 40% (160M) of users are behind a firewall and/or NAT, 50% (200M) on dial-up, and 10% (40M) have direct always-on access. But there is no way I can justify these numbers. Brian Paul Hoffman / IMC wrote: At 12:10 PM -0500 1/23/01, Frank Solensky wrote: One could ask a sample of administrators and extrapolate the results but, again, the problem becomes how confident you could be of the results if you don't get a very significant response rate The problem is *much* worse than that. You have to be confident that your sampling method actually reflects enough of the Internet to be valid. Determining how you have reached a valid sample of administrators would be an interesting problem. Further, it is safe to assume that administrators for the largest networks are the least likely to reply, or to reply accurately. And then there is the problem of assuming that they understand your question, and can even count the systems on their networks well enough to answer accurately... --Paul Hoffman, Director --Internet Mail Consortium
RE: Again: Number of Firewall/NAT Users
just a brief review of local administrator peers at small and medium business (+/- 10 admin's/business, avg 25 to hosts per/ea) is 100% with 'always on' connectivity behind firewall and NAT. very small sample but 100% is significant David H -Original Message- From: Brian E Carpenter [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 23, 2001 3:10 PM To: Paul Hoffman / IMC Cc: Frank Solensky; Jiri Kuthan; [EMAIL PROTECTED] Subject: Re: Again: Number of Firewall/NAT Users Exactly. More or less by definition, since NATs and firewalls hide stuff, we can't possibly measure the stuff they hide. And since they are hiding stuff for good reason, administrators more or less by definition will not answer accurately. So it can't be measured. My hand waving estimate is that 40% (160M) of users are behind a firewall and/or NAT, 50% (200M) on dial-up, and 10% (40M) have direct always-on access. But there is no way I can justify these numbers. Brian Paul Hoffman / IMC wrote: At 12:10 PM -0500 1/23/01, Frank Solensky wrote: One could ask a sample of administrators and extrapolate the results but, again, the problem becomes how confident you could be of the results if you don't get a very significant response rate The problem is *much* worse than that. You have to be confident that your sampling method actually reflects enough of the Internet to be valid. Determining how you have reached a valid sample of administrators would be an interesting problem. Further, it is safe to assume that administrators for the largest networks are the least likely to reply, or to reply accurately. And then there is the problem of assuming that they understand your question, and can even count the systems on their networks well enough to answer accurately... --Paul Hoffman, Director --Internet Mail Consortium
Re: Number of Firewall/NAT Users
There was even an analogy to NAT's "addresses embedded in the application data stream" problem: if you had an address in your .signature, the gateway couldn't translate it, so the person receiving your message saw an address they couldn't use. I liked even better the horror story of the gateway that tried. until someone wrote "this gateway translates [EMAIL PROTECTED] into [EMAIL PROTECTED]", and it came out to the recipient as "this gateway translates [EMAIL PROTECTED] into [EMAIL PROTECTED]".which somehow failed to get the point across I've actually seen this happen. Mail system configuration files sent to us from behind such a gateway were curiously corrupt when they reached us, and when we fixed them and sent them back the errors were in what was received... Turned out that someone took the corporate mandate to "remove all references to our old name" a bit too seriously. If memory serves, we used ROT13 to get around the translation, since administrative turfs were such that an actual fix for the problem wasn't possible. Ned
Re: What happen to ip6.int ?
Patrik Fltstrm wrote: http://www.ietf.org/internet-drafts/draft-ymbk-ip6-arpa-delegation-00.txt [...] See http://www.iab.org/iab/DOCUMENTS/statement-on-infrastructure-domains.txt I would like to suggest -- just like in RFC-3026 -- to add to the reference of draft-ymbk-ip6-arpa-delegation-00.txt: X. IAB, "IAB Technical Comment on the Unique DNS Root", RFC 2826, May 2000. Since we never know who are going to read an RFC, how about to add the URL tag to reference (e.g. http://www.ietf.org/rfc/rfc2826.txt ) regards, -- Rahmat M. Samik-Ibrahim - VLSM-TJT - http://rms46.vlsm.org Gong Xi Fa Cai - Hong Bao Na Lai
Re: Number of Firewall/NAT Users
Ed, without getting too long-winded - I think you're overstating the degree to which the Internet protocols depend on DNS (with the notable exception of NATs that use DNS ALG to fake things out). Users who aren't behind NATs can still use IP addresses directly if they want to, and more importantly, so can their applications. Sending email to moore@[128.169.94.1] works just fine, and has worked just fine for at least 14 years. - The flaws in DNS notwithstanding, I think you're grossly understating the tremendous advantage that DNS brings to the Internet. Name-to-address mapping (via HOSTS.TXT and other schemes) was regarded as an essential service even before DNS; DNS made the job a lot more managable and has survived, what - four to five orders of magnitude of growth in Internet user population? Without DNS or something like it, the Internet would never have been anywhere nearly this successful. - A service that maps names of distant resources to addresses is not a local problem by any stretch of the imagination. - I agree that the Internet architecture should not depend on DNS, but that doesn't mean that DNS is not an essential service. We might disagree about the reasons that the architecture should not depend on DNS - I would say that we need to be able to build other name lookup services that work alongside DNS (rather than having to go through the existing DNS protocol) either because they are providing a very different service or because we might want to replace DNS someday. And appliations which don't work well through DNS due to performance reasons should not be constrained to have to use it. - You're grossly overstating ICANN's authority or responsibility in either DNS name or IP address assignment, and also the degree to which IETF was able to influence the structure of ICANN. Keith
