Syslog inquiry, TAG delimiters.

[Johan Bosaeus]

Hello,
We got a problem interpreting the RFC 3164 and we would appreciate any 
comments of the issue of what is a valid TAG delimiter.

First, last part of section 4.1.3 states:

   The MSG part has two fields known as the TAG field and the CONTENT
   field.  The value in the TAG field will be the name of the program or
   process that generated the message.  The CONTENT contains the details
   of the message.  This has traditionally been a freeform message that
   gives some detailed information of the event.  The TAG is a string of
   ABNF alphanumeric characters that MUST NOT exceed 32 characters.  Any
   non-alphanumeric character will terminate the TAG field and will be
   assumed to be the starting character of the CONTENT field.  Most
   commonly, the first character of the CONTENT field that signifies the

   conclusion of the TAG field has been seen to be the left square
   bracket character ([), a colon character (:), or a space
   character.  This is explained in more detail in Section 5.3.

This part implies that space is a legal character to terminate a TAG with. 
However, further down in the text, section 5.4 Examples, you will find:


   Use the BFG!

   While this is a valid message, it has extraordinarily little useful
   information.  This message does not have any discernable PRI part. It
   does not contain a timestamp or any indication of the source of the
   message.  If this message is stored on paper or disk, subsequent
   review of the message will not yield anything of value.

   This example is obviously an original message from a device.  A relay
   MUST make changes to the message as described in Section 4.3 before
   forwarding it.  The resulting relayed message is shown below.

13Feb  5 17:32:18 10.0.0.99 Use the BFG!

   In this relayed message, the entire message has been treated as the
   CONTENT portion of the MSG part.  First, a valid PRI part has been

This implies that space is not a valid delimiter. So in this case, the TAG 
field is absent. In my ears this sounds as a better approach? But how do I 
approach this? 

   Regards,
   Johan Bosaeus

Weird Solutions AB 

___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

RE: Stupid NAT tricks and how to stop them.

[Lars-Erik Jonsson \(LU/EAB\)]

 From: Michel Py [mailto:[EMAIL PROTECTED]
 Unfortunately some protocol purity zealots still have to realize
 that Linksys, Netgear, Belkin and consorts don't sell NAT boxes
 because they think NAT is good, they sell NAT boxes because
 consumers want to buy them. 

I do not think consumers in general want to buy NAT boxes, but
they are forced to do so by ISP's who do not give them a choice.

When not even those of us who can differentiate between different
Internet connections by other means then speed can manage to get
a proper Internet connection (e.g. with multiple fixed addresses),
how can we expect regular users to ask for such advanced features?

Myself, I am stuck with a telco-ISP that do not even provide
the option to buy extra IP-addresses (or fixed addresses). This
means I am forced to run a NAT at home, and do the tricks to 
make applications work in this environment (including making
servers work, which of course is not allowed, but why should I
care).

At several occasions, friends have asked me why some of their
communications applications do not work although they have a
premium Internet connection, which meant they had purchased
the highest speed available. Unfortunately, they have all
been fooled by the ISPs that the only difference between different
Internet connections is the maximal throughput, and they have
ended up in a crappy NETed home environment.

But why should ISPs be honest and explain to regular users 
that there could be better alternatives and that what they are
currently selling is a restricted Internet connection? For ISPs,
these restricted connections means users have problems running
some applications, which reduces the traffic they generate, but
the problems users have are not attributed to limitations in what
the ISP provides. Only some ISP's openly declare the details of
the Internet connections they provide, such as whether IP addresses
are fixed or dynamic, if one can get multiple addresses, if IPv6
can be provided, etc. However, some do, and therefore I still
believe there is hope, but it is hard for regular users to
understand what different alternatives would mean (especially
when ISPs are not honest with these matters).

___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: the iab net neutrality

[David R Oran]

On Mar 29, 2006, at 10:56 AM, Henning Schulzrinne wrote:

We could ask the IEEE, since the relationship between the WiFi  
folks and IEEE 802.11 seems to be somewhat similar.


One of the problems I see is that many of the industry associations  
(SIP Forum, IPv6 forum, to name two I'm somewhat familiar with)  
tend to focus on service providers, not consumers. But an  
organization such as the SIP Forum could provide a VoIP-optimized  
label for NAT boxes and maybe even ISPs.
I'm a board member of the SIP Forum, so I'd like to respond to  
Henning. (I'm speaking as an individual here who happens to be on the  
SIP Forum board so these are personal views neither discussed with  
nor agreed to by the rest of the board. Ditto for the IAB.)


The SIP Forum is a creature of our members, which today are almost  
exclusively service providers and equipment vendors. We try to  
respond to the pain points they bring us and add value by bridging  
the gap between protocol standardization through the IETF and needs  
in the market. So far, we've been pretty successful at running  
interoperability testing through the SIPIT program, and coming up  
with deployment and feature bundling specifications in areas like  
hooking up SIP-based enterprise VoIP systems to service providers who  
are offering PSTN origination and termination services.


The question of how to help the consumer market segment is one we are  
stumped on, for a number of reasons. First, there is no obvious  
advocate for the needs of consumers among our membership. Second, few  
to none of the vendors who sell consumer gear (e.g. Linksys, Netgear,  
Sony, Apple) are members. Third, much of that market segment is  
driven by offshore manufacturers who have little incentive to lead in  
engineering. Their expertise is in channel and brand management, and  
in minimizing all costs, including engineering (not to mention forum  
memberships...).


That said, a number of us believe that we are having a modest effect.  
For example, in the enterprise interconnect specification, we worked  
very hard to make sure straightforward interconnect worked without  
mandating extra firewall, NAT or B2BUA functionality.


The idea of having the SIP Forum sponsor work to at least partially  
drain the NAT/firewall traversal swamp is a good one. So - seeing as  
this is on the IETF public list, let me offer a plea: if you work  
with or build SIP products for consumers, JOIN THE SIP FORUM and help  
us put together a program in our Technical Working Group to address  
these issues. We are driven by our members. Membership is free for  
individuals and of modest cost for companies.



Cheers, Dave Oran


Thus, I think we need a separate organization (or work with a  
separate organization) that does branding and certification. It's  
hard to buy a non-WiFi device in stores today; the equivalent  
consumer assurance needs to be true for core consumer and small- 
business network devices, and possibly services.
I don't know how this would work, but if it could be made to work,  
that might be very helpful.


___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

RE: draft-santesson-tls-ume Last Call comment

[Jeffrey Hutzelman]

On Sunday, March 26, 2006 02:48:17 PM -0800 Kurt D. Zeilenga 
[EMAIL PROTECTED] wrote:



I note that SASLprep is case-insensitive and hence may not
be appropriate for the user portion of a UPN.


I think this is a type.  SASLprep is case-preserving, and hence may
not be appropriate for the user portion of a UPN, if the latter are
intended to be case-insensitive.



I also think it
odd to allow both toUnicode and toASCII domain component
forms on the wire.


So do I.




(I recommend the latter).


Why?  The toASCII form was designed to allow IDN's to be encoded for use in 
protocol fields which are very restrictive about what octet strings they 
can carry; in particular, label fields in the DNS wire protocol.  Why do I 
keep seeing people who insist on using that inefficient encoding in 
protocol slots which are perfectly capable of carrying UTF-8?  That's very 
much like suggesting the use of base-32 encoding in an 8-bit-clean field.


Use of toASCII is appropriate for _existing_ IDN-unaware uses of domain 
names.  I wish someone would explain to me why so many people want to use 
it for IDN-aware uses in new protocols.


-- Jeff

___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

RE: Stupid NAT tricks and how to stop them.

[Michel Py]

Lars,

 Michel Py wrote:
 Unfortunately some protocol purity zealots still have to
 realize that Linksys, Netgear, Belkin and consorts don't
 sell NAT boxes because they think NAT is good, they sell
 NAT boxes because consumers want to buy them.

 Lars-Erik Jonsson wrote:
 I do not think consumers in general want to buy NAT boxes, but
 they are forced to do so by ISP's who do not give them a choice.

Your argument does not hold water. Do a survey of customers who have the
advanced or pro package (with higher speed and multiple static IP
addresses) and you will find that the very vast majority of them (if not
all) use NAT anyway even though they have enough public addresses.


 For ISPs, these restricted connections means users
 have problems running some applications, which
 reduces the traffic they generate.

This does not hold water either. By far, the volume of traffic is
peer-to-peer (mostly questionable in terms of copyright). All major P2P
apps for the most widely used protocols (bittorrent, edonkey etc) cross
NAT nicely, most have UPNP support (no configuration of the NAT box) and
some even have external NAT traversal mechanisms that don't even require
to open a port. Breaking games an other low-volume apps serves no
purpose.

When ISPs want to curb traffic, they either: cap the speed, have monthly
quotas, or (rarely, as it will result in loss of business) enforce their
AUP.

Michel.


___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: Stupid NAT tricks and how to stop them.

[Joe Abley]

On 5-Apr-2006, at 11:09, Michel Py wrote:

Your argument does not hold water. Do a survey of customers who  
have the

advanced or pro package (with higher speed and multiple static IP
addresses) and you will find that the very vast majority of them  
(if not

all) use NAT anyway even though they have enough public addresses.


A survey of users where?

Arguments which shuttle backwards and forwards between people in  
regions with different packaging of internet access services are  
unlikely to bear fruit so long as the arguments concentrate on  
assumptions about packaging.


Different ISPs package access in different ways.

Some do the NAT for you, in their network; some do the NAT in the CPE  
equipment they supply; some don't do NAT for you at all. Some ISPs  
provide only dynamic addresses, and distinguish their packages based  
on speed; some ISPs have the option of static addresses, but only one  
per subscriber; some ISPs can assign a subnet to a customer.


Some ISPs package their access services according to peak speed  
available; some according to a contention ratio within their network  
(or within the telco's network which they use to reach the customer).  
Some ISPs provide a data cap. Some ISPs charge for volume. Some ISPs  
restrict access speed when a volume threshold within a billing period  
has been reached. Some ISPs bill according to data transferred; some  
ISPs bill at a flat rate.


Some ISPs filter traffic towards their customers; some don't. Some  
ISPs (apparently, possibly) deliberately introduce jitter and latency  
into their access products to discourage customers from using VoIP.  
Others don't.


Some ISPs are happy for people to run servers; some are not. Some  
ISPs are happy for customers to announce their own address space to  
them over DSL using BGP (I know this, since I am a customer of one of  
them).


Some ISPs sell symmetric access services; others sell asymmetric  
services. Some use cable; some use DSL; some use fibre; some use  
wireless transmission; some use frame-relay or PPP or HDLC over  
synchronous T1s or E1s.


Some ISPs compete for customers in an open market. Some ISPs don't  
need to, because they have a natural monopoly in access. Some ISPs  
have access to the copper; some ISPs are dependent on wholesale  
products of telcos, and are perhaps limited in what they can provide  
for that reason.


It's a rich tapestry. Assuming that what is available in one region  
implies anything about what is available in other regions is  
unproductive.



Joe

___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

RE: Stupid NAT tricks and how to stop them.

[Michel Py]

 Michel Py wrote:
 Your argument does not hold water. Do a survey of customers
 who have the advanced or pro package (with higher speed
 and multiple static IP addresses) and you will find that the
 very vast majority of them (if not all) use NAT anyway even
 though they have enough public addresses.

 Joe Abley
 A survey of users where?

Of anywhere where ISPs offer a package with static IP addresses. I mean
a survey of regular customers, not fellow IETFers or geek buddies. How
many of them actually have multiple static IPs and how many are behind
NAT nevertheless. Run your survey and come back with data.


 It's a rich tapestry.

It is.

 Assuming that what is available in one region implies anything
 about what is available in other regions is unproductive.

Assuming that IETFers and their ideas on how to configure a network are
representative of the general consumer base is ignoring this rich
tapestry.

Michel.


___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: Stupid NAT tricks and how to stop them.

[Joe Abley]

On 5-Apr-2006, at 12:16, Michel Py wrote:

Of anywhere where ISPs offer a package with static IP addresses. I  
mean

a survey of regular customers, not fellow IETFers or geek buddies. How
many of them actually have multiple static IPs and how many are behind
NAT nevertheless. Run your survey and come back with data.


I was under the impression that *you* were the one making assertions  
about user behaviour. I don't necessarily disagree with them.


However, asking other people to do surveys to confirm your assertions  
(with the implication that people who can't be bothered to do those  
surveys somehow aren't fit to disagree) seems more like an exercise  
in rhetoric than in engineering.


On 5-Apr-2006, at 11:09, Michel Py wrote:


   [...] Do a survey of customers who have the
advanced or pro package (with higher speed and multiple static IP
addresses) and you will find that the very vast majority of them  
(if not

all) use NAT anyway even though they have enough public addresses.

[...] By far, the volume of traffic is
peer-to-peer (mostly questionable in terms of copyright). All major  
P2P
apps for the most widely used protocols (bittorrent, edonkey etc)  
cross
NAT nicely, most have UPNP support (no configuration of the NAT  
box) and
some even have external NAT traversal mechanisms that don't even  
require

to open a port. Breaking games an other low-volume apps serves no
purpose.

When ISPs want to curb traffic, they either: cap the speed, have  
monthly
quotas, or (rarely, as it will result in loss of business) enforce  
their

AUP.



___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

RE: Stupid NAT tricks and how to stop them.

[John C Klensin]

--On Wednesday, 05 April, 2006 08:09 -0700 Michel Py
[EMAIL PROTECTED] wrote:

 Michel Py wrote:
 Unfortunately some protocol purity zealots still have to
 realize that Linksys, Netgear, Belkin and consorts don't
 sell NAT boxes because they think NAT is good, they sell
 NAT boxes because consumers want to buy them.
 
 Lars-Erik Jonsson wrote:
 I do not think consumers in general want to buy NAT boxes, but
 they are forced to do so by ISP's who do not give them a
 choice.
 
 Your argument does not hold water. Do a survey of customers
 who have the advanced or pro package (with higher speed
 and multiple static IP addresses) and you will find that the
 very vast majority of them (if not all) use NAT anyway even
 though they have enough public addresses.

It is worth noting in this context that many of the Router
products that are sold for SOHO use (including the high-end
products from the first two vendors listed above) do not provide
any support for multiple static addresses except via one-to-one
NAT.  It is simply not possible to configure those devices to
support use of static public addresses for hosts on the LAN
side.   This situation would somewhat contaminate the results of
the survey you suggest above.

These are not ISP-imposed limitations, but limitations imposed
by commercially-available products.  

It also suggests, again, that part of the current drive by
vendors to support NAT is not because of address shortages but
by support and configuration difficulties with providing and
using small pools of provider-dependent static addresses.

john


___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

RE: Stupid NAT tricks and how to stop them.

[Michel Py]

 John C Klensin wrote:
 It is simply not possible to configure those devices
 to support use of static public addresses for hosts
 on the LAN side.

First, this is totally false, see below. Second, if you want to use
public IPs on the LAN side you just have to plug your hosts directly in
the back of the {DSL|whatever} modem. Or use the firewall of your
choice.


 This situation would somewhat contaminate the results
 of the survey you suggest above.

Not at all, see above. Plus, read below also.


 It is worth noting in this context that many of the Router
 products that are sold for SOHO use (including the high-end
 products from the first two vendors listed above) (Linksys,
 Netgear) do not provide any support for multiple static
 addresses except via one-to-one NAT.

This is simply NOT true. Large numbers of SOHO routers can operate
with or without NAT and yes including the high-end products from the
first two vendors listed above.

Linksys RV042: http://tinyurl.com/zf7o8
Netgear FVG318: http://www.netgear.com/products/details/FVG318.php
And this is the norm. The one I use right now:
http://www.broadxent.com/products/8120.asp
and many more:
http://www.sonicwall.com/totalsecure/ts10.html
http://www.netopia.com/equipment/routers/routers_models.html
I have seen some of the speedstreams too and they all had an option to
run with or without NAT. Many of them also have the option to have a
bridge mode allowing the customer to provide their own router/firewall
solution.


 These are not ISP-imposed limitations, but limitations
 imposed by commercially-available products.

Please stop spreading disinformation. The proof is in the pudding, just
click on the links above. Maybe actually looking at what's out there
would help too.

Michel.


___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: Stupid NAT tricks and how to stop them.

[Iljitsch van Beijnum]

On 5-apr-2006, at 17:09, Michel Py wrote:


By far, the volume of traffic is
peer-to-peer (mostly questionable in terms of copyright). All major  
P2P
apps for the most widely used protocols (bittorrent, edonkey etc)  
cross
NAT nicely, most have UPNP support (no configuration of the NAT  
box) and
some even have external NAT traversal mechanisms that don't even  
require

to open a port. Breaking games an other low-volume apps serves no
purpose.


This sounds a lot like NAT doesn't really break anything. If I  
pretend I'm a regular user for a minute, I can tell you this is not  
the case. When I used NAT for my Powerbook I had lots of problems  
doing videochats with Apple's iChat with someone else who was also  
behind NAT. Even when I configured the single real IP address I got  
on my Powerbook (very tricky because there was a Cisco SOHO box  
terminating a PPPoA ADSL link in the middle) it still didn't work  
very reliably. RTSP with Quicktime didn't work when the Cisco 82x did  
the NATting, but it would when an Apple Airport Extreme performed NAT.


Peer-to-peer isn't a good example, because of the high built-in  
redundancy. Even someone who can only set up outgoing sessions can  
run BitTorrent without too much trouble because there are plenty of  
peers without NAT or portmappings of some kind (manual, uPnP or NAT- 
PMP) that can receive the incoming sessions. When the sessions are  
up, traffic can flow both ways. However, if you read forums or  
release notes you'll see lots of discussion on port mapping because  
being able to receive incoming session setup attempts means that you  
get to connect to more peers (all of them, without port mapping only  
others that are not behind NAT or do have port mapping) so your  
downloads are faster.


Given the market place realities the IETF should be careful to make  
its protocols interoperate with NAT whenever possible, but don't  
think for a minute that adding NAT workarounds solves the problem  
completely. Here in the Netherlands ISPs generally give out a single  
real IP address to their customers, but most customers use a DSL or  
cable modem with NAT or an additional NAT router or wireless base  
station so they can connect more than one computer. Despite some  
individual reports to the contrary, I believe the same is true for  
most IP users.


However, some ISPs already perform NAT for their customers in their  
network, and that's only going to increase as IPv4 addresses become  
more scarce and eventually run out completely. At that point, many  
people will be behind two layers of NAT. Also, reserving ports will  
be very hard because many systems share one real IP address. Maybe  
it's just me, but I don't see the IETF or anyone else for that matter  
coming up with something that allows communication between two people  
who are both behind two layers of NAT with any modicum of reliability.


So in addition to supporting NAT where reasonably possible, the IETF  
should also continue to plan for a future where there is enough  
address space to make NAT unnecessary. However, universal  
reachability isn't coming back even if NAT is out of the picture  
because people love to run firewalls that break way more stuff than  
intended.


___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

RE: Stupid NAT tricks and how to stop them.

[John C Klensin]

--On Wednesday, 05 April, 2006 11:23 -0700 Michel Py
[EMAIL PROTECTED] wrote:

 John C Klensin wrote:
 It is simply not possible to configure those devices
 to support use of static public addresses for hosts
 on the LAN side.
 
 First, this is totally false, see below. Second, if you want
 to use public IPs on the LAN side you just have to plug your
 hosts directly in the back of the {DSL|whatever} modem. Or use
 the firewall of your choice.

Michel, spreading disinformation is a rather strong claim; not
one I would choose to make without actually examining the
devices and their manuals, not just the marketing descriptions
you cite below.   That said, I did somewhat oversimplify the
problem I described.  More detail, and a pair of partial product
reviews, follows below.  If I owe the vendors an apology, I will
apologize, but I will do so only in the presence of either
vendor documentation of how to do what is needed (user manual,
knowledge base article, or the equivalent) or a user-level
description of how to do it that the vendors will support.  See
below.

 This situation would somewhat contaminate the results
 of the survey you suggest above.
 
 Not at all, see above. Plus, read below also.

 It is worth noting in this context that many of the Router
 products that are sold for SOHO use (including the high-end
 products from the first two vendors listed above) (Linksys,
 Netgear) do not provide any support for multiple static
 addresses except via one-to-one NAT.
 
 This is simply NOT true. Large numbers of SOHO routers can
 operate with or without NAT and yes including the high-end
 products from the first two vendors listed above.
 
 Linksys RV042: http://tinyurl.com/zf7o8
 Netgear FVG318:
 http://www.netgear.com/products/details/FVG318.php And this is
 the norm.

Our experience differs, but this is not disinformation.  I'm
running an RV082 (the 042's bigger and more capable sibling)
here and consigned an FVG318 to the parts closet before getting
the RF082.In both cases, I bought the products at retail and
struggled for some weeks, reading manuals and using the vendor's
customer support mechanisms and, in the RV082 case, taking
advantage of some additional support resources before reaching
the conclusions that I reached.

At least part of the problem are some constraints that, as a
simplification, I didn't mention.  The two most recent ISPs I've
dealt with personally, and two more I've deal with on behalf of
friends I was trying to set up, all insist on owning control of
the front-end CPE modem/ router equipment.  They do not
permit (by TsCs, password control, etc.) the customer to
reconfigure that equipment to, e.g., operate it in bridge mode.
The number of static addresses available or in use is quite
small, typically a /28 or even a /29.  Finally, I need a device
with the ability to specify port priorities and to supply some
firewall capability.

One implication of this is that there is a little problem of
router co-existence: the customer-supplied device has to be
plugged into the LAN side of the ISP-supplied device, using one
of those static addresses as its WAN-side but supplying the
others to devices on the actual LAN.  In principle, it ought to
be possible to do that by setting up static routes, but (i)
neither vendor was able to specify how to do it and (ii) some,
if not all, of the ISPs configure their interface devices to
require that different addresses appear on the different ports
they supply.

For both of these vendors can use static addresses in
marketing literature apparently mean that one can use a static
address on its WAN side and can turn DHCP off, or run DHCP with
MAC-mapped addresses, on the LAN side.  Both support those
capabilities; the problem is where the addresses come from.
Actual experience with trying to set the devices up with a
static /29 pool of public addresses used on the LAN side of the
device and with the same pool presented to and used from the
public Internet were unsuccessful.

Disclaimer about the Netgear box: I haven't tried to use it with
static, public addresses for well over a year.  Perhaps new
firmware and documentation has been released and it has been
changed to better support these functions.  I doubt it somehow,
but perhaps.

In the case of Netgear, there is not a hint in any of the
documentation, or in their knowledge base as of a year or so
ago, that use of public addresses is possible.  After an
extended discussion with their technical support operation (and
an escalation or two), I was told that the device would not
support what I needed (i.e., public addresses on the LAN
identical to the public addresses by which the Internet saw
those hosts, with no NAT function of any sort) and that, if I
could trick it into doing what I was asking for, they would not
support it.   That led to a discussion about how they could
claim support for static, public, addresses, but that discussion
didn't lead anywhere.

In the case of the Linksys device, the 

RE: Stupid NAT tricks and how to stop them.

[John Calcote]

-John Calcote ([EMAIL PROTECTED])Sr. Software EngineeerNovell, Inc.

 John C Klensin [EMAIL PROTECTED] 4/5/2006 10:43:36 am 
--On Wednesday, 05 April, 2006 08:09 -0700 Michel Py[EMAIL PROTECTED] wrote: Michel Py wrote: Unfortunately some protocol purity zealots still have to realize that Linksys, Netgear, Belkin and consorts don't sell NAT boxes because they think NAT is good, they sell NAT boxes because consumers want to buy them.It is worth noting in this context that many of the Routerproducts that are sold for SOHO use (including the high-endproducts from the first two vendors listed above) do not provideany support for multiple static addresses except via one-to-oneNAT. It is simply not possible to configure those devices tosupport use of static public addresses for hosts on the LANside. This situation would somewhat contaminate the results ofthe survey you suggest above.These are not ISP-imposed limitations, but limitations imposedby commercially-available products. 
--
I'll just jump in here for a second and mention also that vendors offer what they have to, not what they can. They want to provide the most "bang for the buck", so to speak. These companies don't offer the multiple-static-ip-address option today because most ISP's don't offer it to home users and home (SOHO) users represent the target market. That said, they *would* offer these features if SOHO users were constantly frustrated about the fact that they can't make use of the multiple static addresses that their ISP provides them because of limitations in their router equipment...

The fact is, _when_ IPv6 becomes truly mainstream and ISP's begin to offer multiple static addresses because they can, then these companies will offer the features on their routers. 

Let's not mistake what the world wants, for what it is successfully living with today.

John
BEGIN:VCARD
VERSION:2.1
X-GWTYPE:USER
FN:John Calcote
EMAIL;WORK;PREF;NGW:[EMAIL PROTECTED]
N:Calcote;John
ORG:;Unified Identity System Eng TE
TEL;WORK:1-801-861-7517
TITLE:Sr. Software Engineer
ADR;DOM;WORK;PARCEL;POSTAL:;PRV-H-511;;Provo
LABEL;DOM;WORK;PARCEL;POSTAL;ENCODING=QUOTED-PRINTABLE:John Calcote=0A=
PRV-H-511=0A=
Provo
END:VCARD

___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: Stupid NAT tricks and how to stop them.

[Iljitsch van Beijnum]

On 5-apr-2006, at 21:57, John C Klensin wrote:


they all had an
option to run with or without NAT. Many of them also have the
option to have a bridge mode allowing the customer to
provide their own router/firewall solution.



It is that bridge mode that is critical.  As I indicated
above, neither the Linksys nor the Netgear devices provide it.
The SonicWall does, but raises other, unrelated, issues.  I
carefully did not address any devices I haven't actually used.
That leaves us in a state in which it is necessary to handle
static public IP addresses by either



* running the ISP's interface device in bridge mode,
which many (although perhaps not all) ISPs prohibit



* running the router devices as one-one NATs


It occurs to me that there is nothing that prevents this exact same  
issue from coming up in IPv6. Even with an unpronouncable number of  
addresses, if you provide your own box that performs routing (which  
is generally a requirement for any kind of firewalling), the ISP has  
set up an address range to communicate with that box, and another  
address range that it forwards to that box for use behind it.


I.e., if the ISP provides a CPE box under their control and I have my  
own router/firewall, then I need a subnet between the two and at  
least one more subnet on another port of my router/firewall where my  
hosts reside. The first issue is that this makes getting a single /64  
from the ISP useless, and the second issue is that either there needs  
to be some manual configuration or there needs to be some kind of  
address provisioning protocol to be run between the CPE and the  
customer router/firewall, such as DHCPv6 prefix delegation.


(Note by the way that PPP can do address provisioning for a single  
address in IPv4 but it can't do this for IPv6, making stuff like IPv6  
over dial-up extremely hard to do.)


___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

RE: Stupid NAT tricks and how to stop them.

[Paul Hoffman]

At 11:23 AM -0700 4/5/06, Michel Py wrote:

  John C Klensin wrote:

 It is simply not possible to configure those devices
 to support use of static public addresses for hosts
 on the LAN side.


First, this is totally false, see below.


No, it is *partially* false, but unfortunately true in many cases. 
Some SOHO devices allow to use the outside IP addresses on the 
inside, and some don't.


More importantly, some that say they allow you to turn off the NAT 
don't actually work. In the VPNC test lab, we have found some SOHO 
systems (from more than one vendor, based on code from more than one 
OEM) where turning off the NAT using the GUI didn't do anything: the 
NAT was still in force. The vendors had to fix their software before 
they could continue with our testing because we explicitly do not 
test with NATs (except for our upcoming testing of IPsec 
NAT-traversal interop).


The VPNC members were fairly happy to have discovered sooner rather 
than later that their NAT configuration was not what they thought it 
was. They were not happy to have to fix their code, of course, but it 
is better to have to do so early in the shipping cycle before the 
customer support calls come. On the other hand, one vendor who has a 
series of boxes that cannot have their NATs turned off said that they 
essentially never get complaints about it, even though the 
always-NAT-no-matter-what feature is not listed on the box.


Assuming that the system documentation is correct in this area is not 
a good idea, at least from the hands-on experience in our lab.


--Paul Hoffman, Director
--VPN Consortium

___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Re: Stupid NAT tricks and how to stop them.

[John C Klensin]

--On Wednesday, 05 April, 2006 22:24 +0200 Iljitsch van Beijnum
[EMAIL PROTECTED] wrote:

 On 5-apr-2006, at 21:57, John C Klensin wrote:
 
 they all had an
 option to run with or without NAT. Many of them also have the
 option to have a bridge mode allowing the customer to
 provide their own router/firewall solution.
 
 It is that bridge mode that is critical.  As I indicated
 above, neither the Linksys nor the Netgear devices provide it.
 The SonicWall does, but raises other, unrelated, issues.  I
 carefully did not address any devices I haven't actually used.
 That leaves us in a state in which it is necessary to handle
 static public IP addresses by either
 
  * running the ISP's interface device in bridge mode,
  which many (although perhaps not all) ISPs prohibit
 
  * running the router devices as one-one NATs
 
 It occurs to me that there is nothing that prevents this exact
 same  issue from coming up in IPv6. Even with an
 unpronouncable number of  addresses, if you provide your own
 box that performs routing (which  is generally a requirement
 for any kind of firewalling), the ISP has  set up an address
 range to communicate with that box, and another  address range
 that it forwards to that box for use behind it.
 
 I.e., if the ISP provides a CPE box under their control and I
 have my  own router/firewall, then I need a subnet between the
 two and at  least one more subnet on another port of my
 router/firewall where my  hosts reside. The first issue is
 that this makes getting a single /64  from the ISP useless,
 and the second issue is that either there needs  to be some
 manual configuration or there needs to be some kind of
 address provisioning protocol to be run between the CPE and
 the  customer router/firewall, such as DHCPv6 prefix
 delegation.

This was part of the point I was trying to make before the
totally false assertion arose.  The boxes can't magically a
small-address-range single subnet work because making it work is
tricky to do and trickier to support.  If the subnet is big
enough that one can plausibly throw half of it away (as might be
the case with an IPv6 /64), then there is an obvious trick with
subnet masks... but I believe that at least some of these
router/firewall boxes won't support it.  And neither many
hardware vendors nor many ISPs are particularly anxious to
support configurations that are tricky-- they cause (expensive
for the vendor/ ISP) support calls.

 (Note by the way that PPP can do address provisioning for a
 single  address in IPv4 but it can't do this for IPv6, making
 stuff like IPv6  over dial-up extremely hard to do.)

More of the same.

From my perspective, parts of this discussion, in its many
repetitions and many forms, have become pointless to the level
of uninteresting.   Some of us believe that NATs are bad news
and harmful.  Others believe that NATs fall somewhere on the
scale between harmless and actually good.  That debate has
turned into a religious war and cannot be settled -- presumed
facts presented by either side are simply ignored, or rejected
with claims stated in strong language, by the other.

By contrast, the question of whether IPv6, by itself, will
solve or eliminate NATs is one that is susceptible to
engineering evaluation and, IMO, suggests work that the IETF
ought to be doing.  Whether we like NATs or not, we need to
understand the forces that drive them and to understand that
those forces are not all about address space.  And, on that
basis, we need to look, again IMO, at both protocols and
policies to be sure that we have provided the tools for
permitting those who wish to get rid of NATs to do so.  If we
don't know how to build, and inexpensively support, a
router/firewall without address mapping, then we had better
figure it out.  If ISPs like NATs because they can't
economically handle the perceived higher support costs of every
end-user LAN having a slightly different topology, then we had
better figure out how to solve the underlying problem rather
than assuming that IPv6 will eliminate the NATs.  If, as
Iljitsch suggests, PPP (as now defined) isn't quite suitable for
supporting IPv6 over dialup, then someone better be looking at
fixing that -- and looking at strange-to-me setups such as PPoE
in the process.  And, if everyone gets a /64 really doesn't
work because of outside-firewall and inside-firewall issues, we
had best either figure out how to change that restriction or
turn the allocation rule into everyone gets two /65s, or do
something else to deal with the issues that can be standardized
and built into both equipment and user manuals.

Until that work is done, we, I believe, should keep our
expectations about IPv6 deployment to end-user LANs very modest.

john



___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

RE: Stupid NAT tricks and how to stop them.

[Michel Py]

 John Calcote wrote:
 I'll just jump in here for a second and mention also that vendors
 offer what they have to, not what they can. They want to provide
 the most bang for the buck, so to speak. These companies don't
 offer the multiple-static-ip-address option today because most
 ISP's don't offer it to home users and home (SOHO) users represent
 the target market. That said, they *would* offer these features
 if SOHO users were constantly frustrated about the fact that they
 can't make use of the multiple static addresses that their ISP
 provides them because of limitations in their router equipment...

Exactly. As I said many times: vendors sells what the market wants to
buy, and IETFers do not make the market.


John,

 John C Klensin wrote:
 spreading disinformation is a rather strong claim; not
 one I would choose to make without actually examining the
 devices and their manuals, not just the marketing
 descriptions you cite below.

I have personally configured non-NAT on a least a dozen different of
these boxes.

 At least part of the problem are some constraints that,
 as a simplification, I didn't mention.

I can see that now, but your original text said nothing.


 The two most recent ISPs I've dealt with personally, and two
 more I've deal with on behalf of friends I was trying to set
 up, all insist on owning control of the front-end CPE
 modem/ router equipment. They do not permit (by TsCs,
 password control, etc.) the customer to reconfigure that
 equipment to, e.g., operate it in bridge mode.

Common issue, then ask the ISP to reconfigure it in bridge mode
themselves. If the contract says you get public IPs this means these IPs
available for your hosts, not for their router. I never had an ISP
refuse to do this, it's quite easy at time of installation to call the
sales droid and tell it that if they don't configure their stuff to
deliver your public addresses on the LAN side they can stick it. Sales
droid wants his commission, sales droid talks to the techs.

Other method: spend $20 on eBay for a DSL modem/router that you have
control of. It is not illegal to swap their modem for yours, and if you
ever have to call their support (you know, the guys that ask for 1/2
hour if the power is on and if the lights are green) just plug their
modem back for the time of troubleshooting and the put yours back when
done. For this very reason I kept the Alcatel aDSL modem that PacBell
sold me 7 years ago although I have used at least 4 different ones.

FYI, in the latest ATT (formerly SBC formerly Pacific Bell) aDSL
self-install kits that they ship, the password to admin the NAT box is
on a sticker underneath the box. Before, techies still knew that it was
the MAC address or the serial number of the box. They actually want you
to try to configure the box, mess it up, and send you a tech and bill
$200 to fix it. Also, they were tired of people clogging their support
to ask how to make this of that work. New method: if it does not work,
see your software vendor.
ISPs that survive and grow provide what their customers ask for, and
admin access to the CPE device to open ports is one of these demands.


 The number of static addresses available or in use is
 quite small, typically a /28 or even a /29.

In my experience, /29 is good enough for a typical home and /28 for a
typical small office. If you need more you fall into the medium business
category and allegedly have the $$$ that go with it.


 Finally, I need a device with the ability
 to specify port priorities

Your requirements are way over the typical user. If you have
requirements that represent 1% of the demand, you will not be able to
use the canned solution that fits the masses. Possibly not because of
technical reasons but for business reasons: vendors might think that if
you have such requirements you have the money to pay for them (which is
partially justified by higher support costs). If you don't find what you
need in el-cheapo mass-produced consumer stuff it's not because vendors
are trying to screw you but because your business does not represent
enough money for them to take action.


 and to supply some firewall capability.

There is no cheap firewall solution unless you call firewall what
comes with a $20 NAT box.


 In the case of the Linksys device, the documentation is
 fairly clear that the address space on the WAN-side
 needed to be disjoint from the address space on the LAN-side.

This is the case also for many others even high-end ones such as the
Cisco PIX firewall (last time I checked). Your requirements are
different than the masses, you have to use the box that fits your
requirements. The fact that very few firewalls support bridging is
simply due to the lack of demand.


 A solution to this is that either the ISP-supplied CPE
 or the internal router device operate in bridge mode.

Indeed and I do acknowledge that many firewalls do not, which I found
myself to be a pain. But you still have two avenues:

1. A router/firewall 

Re: Stupid NAT tricks and how to stop them.

[Anthony G. Atkielski]

John Calcote writes:

 I'll just jump in here for a second and mention also that vendors
 offer what they have to, not what they can. They want to provide the
 most bang for the buck, so to speak. These companies don't offer
 the multiple-static-ip-address option today because most ISP's don't
 offer it to home users and home (SOHO) users represent the target
 market.

It is unlikely that ISPs will ever offer static IPs or multiple IPs to
home users at any time in the future for free.  They will continue to
charge heavy premiums for such professional features, with or
without IPv6.

 That said, they *would* offer these features if SOHO users
 were constantly frustrated about the fact that they can't make use
 of the multiple static addresses that their ISP provides them
 because of limitations in their router equipment...

SOHO users probably won't be willing to pay 500% more for multiple or
static IPs, anyway.

 The fact is, _when_ IPv6 becomes truly mainstream and ISP's begin
 to offer multiple static addresses because they can ...

ISPs can do that already, but they charge a great deal for it, and
they probably always will.

ATT used to charge for any telephone color other than black, even
though the cost of producing a telephone was the same no matter what
color it was.



___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Last Call: 'IKE and IKEv2 Authentication Using ECDSA' to Proposed Standard

[The IESG]

The IESG has received a request from an individual submitter to consider the 
following document:

- 'IKE and IKEv2 Authentication Using ECDSA'
   draft-ietf-ipsec-ike-auth-ecdsa-05.txt as a Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action.  Please send any comments to the
iesg@ietf.org or ietf@ietf.org mailing lists by 2006-05-03.

The file can be obtained via
http://www.ietf.org/internet-drafts/draft-ietf-ipsec-ike-auth-ecdsa-05.txt

Also, this IPR disclosure may be of inerest
https://datatracker.ietf.org/public/ipr_detail_show.cgi?ipr_id=695


___
IETF-Announce mailing list
IETF-Announce@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf-announce

WG Action: Conclusion of Kerberized Internet Negotiation of Keys WG (kink)

[IESG Secretary]

The Kerberized Internet Negotiation of Keys WG (kink) in the Security Area has
concluded.

The IESG contact persons are Russ Housley and Sam Hartman. 

The mailing list will remain active.

+++

The Kink working group has completed its objectives by publishing a
Kerberized IPsec key management protocol and requirements for that
protocol. Thanks to all those who have contributed over the years.

___
IETF-Announce mailing list
IETF-Announce@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf-announce

Last Call: 'DDP/RDMAP Security' to Proposed Standard

[The IESG]

The IESG has received a request from the Remote Direct Data Placement WG to 
consider the following documents:

- 'DDP/RDMAP Security '
   draft-ietf-rddp-security-08.txt as a Proposed Standard
- 'Applicability of Remote Direct Memory Access Protocol (RDMA) and Direct Data 
   Placement (DDP) '
   draft-ietf-rddp-applicability-05.txt as an Informational RFC

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action.  Please send any comments to the
iesg@ietf.org or ietf@ietf.org mailing lists by 2006-04-19.

The file can be obtained via
http://www.ietf.org/internet-drafts/draft-ietf-rddp-security-08.txt
http://www.ietf.org/internet-drafts/draft-ietf-rddp-applicability-05.txt


___
IETF-Announce mailing list
IETF-Announce@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf-announce