A tangent Re: Some data Re: Again: Number of Firewall/NAT Users

[grenville armitage]

i know this thread died a few moons ago, and wont help anyone guess
the height limit of warships under bridges, but in case anyone's
interested in a rough guess of where people play net games from,
along with a slighly revised estimate of NAT usage, i've crunched
some numbers and placed results at:

http://members.home.net/garmitage/things/quake3-where-050201.html

cheers,
gja

Jon Crowcroft wrote:
> 
> In message <[EMAIL PROTECTED]>, Kyle Lussier typ
> ed:
> 
>  >>> > "is anyone aware of any estimations of fraction of Internet users
>  >>> > who are behind firewalls and NATs?"
> 
>  >>How about for business users?  If the assumption can be made
>  >>that most Q3 players are home based (which would probably
>  >>have a lower incidence of NATs) ~20% sounds high.  Of
>  >>course that could be because of sevice providers.
> 
> according to some measurements, most game players are at WORK.
> +
> in some parts of the world, most HOME users aere behind NATs
> 
>  >>But does anyone have a better idea for business users?
> 
>  cheers
> 
>jon

-- 

Grenville Armitagehttp://members.home.net/garmitage/

Re: Some data Re: Again: Number of Firewall/NAT Users

[Jon Crowcroft]

In message <[EMAIL PROTECTED]>, Kyle Lussier typ
ed:

 >>> > "is anyone aware of any estimations of fraction of Internet users
 >>> > who are behind firewalls and NATs?"
 
 >>How about for business users?  If the assumption can be made
 >>that most Q3 players are home based (which would probably
 >>have a lower incidence of NATs) ~20% sounds high.  Of
 >>course that could be because of sevice providers.

according to some measurements, most game players are at WORK.
+
in some parts of the world, most HOME users aere behind NATs
 
 >>But does anyone have a better idea for business users?

 cheers

   jon

RE: Some data Re: Again: Number of Firewall/NAT Users

[Kyle Lussier]

> > "is anyone aware of any estimations of fraction of Internet users
> > who are behind firewalls and NATs?"

> So, this question piqued my interest. Figured I'd take a
> bash at estimating NAT usage using the online QuakeIII community
> as a reference. Cobbled together two Q3 servers, logged client
> port numbers, and looked for NAPT 'fingerprint' of clients coming
> in on unexpected UDP ports (Q3 client side seems to always use
> 27960 if not mangled by NAPT). Using an indirect, and somewhat
> arm-wavy method I estimate between 18 and 19% of the players
> on my servers were behind NAT boxes. A bit more discussion is

How about for business users?  If the assumption can be made
that most Q3 players are home based (which would probably
have a lower incidence of NATs) ~20% sounds high.  Of
course that could be because of sevice providers.

But does anyone have a better idea for business users?

Kyle Lussier
www.AutoNOC.com

Some data Re: Again: Number of Firewall/NAT Users

[Grenville Armitage]

Jiri Kuthan wrote:
[..]
> I would like to re-raise the question:
> 
> "is anyone aware of any estimations of fraction of Internet users
> who are behind firewalls and NATs?"

So, this question piqued my interest. Figured I'd take a
bash at estimating NAT usage using the online QuakeIII community
as a reference. Cobbled together two Q3 servers, logged client
port numbers, and looked for NAPT 'fingerprint' of clients coming
in on unexpected UDP ports (Q3 client side seems to always use
27960 if not mangled by NAPT). Using an indirect, and somewhat
arm-wavy method I estimate between 18 and 19% of the players
on my servers were behind NAT boxes. A bit more discussion is
at:

http://members.home.net/garmitage/things/nat-quake3.html

(Usual caveats: analysis may have entirely missed the point,
clicking on the link voids your warranty, life is too short,
etc..)

cheers,
gja

Grenville Armitagehttp://members.home.net/garmitage/

RE: Number of Firewall/NAT Users

[Kyle Lussier]

> Well, NAPSTER comes pretty close. Two peers can exchange files if at
> least one of them can act as a server, i.e. is not blocked by a NAT. If
> both are behind NAT, they can't. The point being, NAT are only
> transparent if the host behind a NAT acts as a "client", and initiates
> the TCP connection. Peer-to-peer applications assume that every host can
> be a server.

That's a great example!  The other example that sometimes urks me is
the issue of bi-directionally managed SNMP devices (that use polling
and traps).  You have to start doing all kinds of strange things, like
SNMP proxying to make this stuff work my view is an address should
be the address, unquestionably and undeniably.  There is also the
issue of new distributed bi-directionally communicating firewall
technologies and things.  These are kind of peer-to-peer applications.

It can be argued that all of this should be on the same side of the NAT,
but what happens if you are an MSP managing or securing remote customer
networks?  NATs make life very difficult for them.  You have to start
building VPNs into customer networks and then you are working with
multiple DNS and multiple NAT servers... very ugly stuff if you want
to reliably manage it all.

>v4.  Renumbering can be expensive.  NATs are seen by many enterprises as a
>way of removing the need to renumber should they change providers.  Until
>the issue of renumbering is addressed, NATs will not go away.

I'm still very intrigued by what David Conrad wrote above and I completely
agree with.  Is there any way that ipv6 handles provider renumbering?  I
can think of a couple ways it could be done given the huge ipv6 space.
But personally, I like the convention of just using DNS names for all
devices, and then you can renumber pretty much at will.  But there are
problems there also.

I realize ipv6 renumbering has probably been covered in depth, but
is there any more thoughts incorporated into it related to provider
renumbering?

Kyle Lussier
www.AutoNOC.com

RE: Number of Firewall/NAT Users

[Christian Huitema]

> If a compelling application comes along that is NAT-hostile, that
> will be interesting, but I can't imagine it's in anyone's interest
> to provoke such a conflict when there are well-known NAT-friendly 
> ways of replacing embedded IP addresses in most higher-level protocols
> that use them...

Well, NAPSTER comes pretty close. Two peers can exchange files if at
least one of them can act as a server, i.e. is not blocked by a NAT. If
both are behind NAT, they can't. The point being, NAT are only
transparent if the host behind a NAT acts as a "client", and initiates
the TCP connection. Peer-to-peer applications assume that every host can
be a server.

-- Christian Huitema

Re: Number of Firewall/NAT Users

[David R. Conrad]

At 11:52 AM 1/23/2001 +, Jon Crowcroft wrote:
>o'dell's GSE draft addressed renumbering perfectly.

And look how far it got.

Rgds,
-drc

Re: Number of Firewall/NAT Users

[Keith Moore]

> - I did not say the DNS is not useful.  I said it has design flaws, and
> I named some of them.  These flaws are examples of what NOT to do
> with IP.

DNS does have design flaws, but I don't think you've identified any of them.

> - A service that maps names of local resources to distant addresses
>   is  a local problem.

whatever.  mapping local resources onto distant addresses is not a problem
that a lot of people are interested in solving.  if DNS cannot do this
well, it's hardly DNS's fault - that's not the purpose for which it was
designed.

> But the DNS is not a magic wand either, besides its design flaws.

I agree that DNS is not sutable for every conceivable purpose.  For
example, DNS is not suitable as a means for mapping service names
to connection endpoints within distributed applications.

> - I do not think the DNS can be phased out any time soon, or foreseeable.
> 
> - However, one must ask what comes after DNS -- because something will.
> I fully expect this "something" to interoperate with DNS.

I think there might be multiple somethings - both successors to DNS
(that provide the same function, probably supporting the same query 
protocol for backward compatibility) and other lookup services that
map names (say common names, as in CNRP) to service locations.

(in some of the early work I did on URN resolution systems I discovered
that the resolution system really needed to return the IP addresses
of the resource locations that it found, and not just the URLs of
those resources - otherwise the entire system slowed to a crawl.)

> - The same arguments apply to IP -- what comes after IPv4, IPv6? Something
> will, and I expect they all to interoperate.  NATs help.

NATs (specifically NAT-PTs) do help interoperate between IPv4 and IPv6.  
If one end only speaks IPv4 and the other end only speaks IPv6, NATs
are the only way to get them connected.  However this approach still has
the problems common to all NATs.  It's not a general solution, it's just
the best that can be doen.

> - I think ICANN is a mistaken way to solve a non-existing problem.  The
> non-existing problem is how to govern the Internet.  The mistaken way is
> by central control.

You obviously don't understand ICANN's intent or function, but it's not
to govern the Internet.  You also don't understand just how little power
ICANN has.

> - The Internet depends on the DNS, it should be the other way around.
> Further, this dependence creates an "ideal" control handle, which is
> useful for some that do want to unduly control many aspects of the
> Internet for their special interests -- and to their detriment, 
> paradoxically.

The URN group spent a lot of time thinking about how to administer
a centralized namespace with minimal potential for control.  A 
system like DNS which has multiple root servers, a federated name
space, with lookup also federated along delegation boundaries,
is nearly ideal - it gives the roots the minimum degree of control.
Other systems that relied on centralized lookup or which delegated
lookups via other means (say using a hash of the name) were much
more vulnerable to this kind of exploit.  Which is not to say that
there's no risk, but that the DNS structure minimizes the risk 
to the extent that we know how to do it.

Moreover, having a organization like ICANN - i.e. one which has no other 
function besides administering top-level name and number assignments -
in charge of the roots, seems far preferable to having either
a government or a commercial organization in charge of the roots.
The latter two are far more of a threat to Internet users than ICANN.
The biggest danger associated with ICANN is mission creep - because
they are centralized people are constantly tempted to saddle them with
other aspects of "internet governance" that seem to demand centralization.
I hope that ICANN will discourage and be discouraged from taking on
such roles.  Only time will tell.

> If a technical system can be designed that would negate such a handle
> to all, this would be intrinsically fair and defuse much of the "problems"
> we have with DNS and its control (ICANN).

Perhaps.  But nobody has found a way to do this that (a) prevents naming
conflicts and (b) makes lookups of those names visible to the entire
Internet.  Both of these are desirable features of the current DNS system.
I agree that it should be possible to build other kinds of lookup systems,
but it's hard to solve the problem that DNS tries to solve without having
at least a minimal root.

> - The IETF abhors liability. However, its actions have defined the DNS,
> its flaws, helped shape ICANN, its flaws, and are now trying to shape IP,
> and its flaws.  It is time we all think a bit about the highly leveraged 
> game being played here, with near 800 million Internet users.  

Be assured that it *is* being thought about and has been for several years.
ICANN is the best we could do under the circumstances, given the size of 
some of the gorillas i

Re: Number of Firewall/NAT Users

[Ed Gerck]

Keith Moore wrote:

> Ed,
>
> without getting too long-winded

me too :-)

- I did not say the DNS is not useful.  I said it has design flaws, and
I named some of them.  These flaws are examples of what NOT to do
with IP.

- A service that maps names of local resources to distant addresses
  is  a local problem.

- I did not say the DNS is worse than the HOSTS.TXT table it replaced.
In fact, it clearly isn't.  But the DNS is not a magic wand either, besides its
design flaws.

- I do not think the DNS can be phased out any time soon, or foreseeable.

- However, one must ask what comes after DNS -- because something will.
I fully expect this "something" to interoperate with DNS.

- The same arguments apply to IP -- what comes after IPv4, IPv6? Something
will, and I expect they all to interoperate.  NATs help.

- I think ICANN is a mistaken way to solve a non-existing problem.  The
non-existing problem is how to govern the Internet.  The mistaken way is
by central control.

- The Internet depends on the DNS, it should be the other way around.
Further, this dependence creates an "ideal" control handle, which is
useful for some that do want to unduly control many aspects of the
Internet for their special interests -- and to their detriment, paradoxically.
If a technical system can be designed that would negate such a handle
to all, this would be intrinsically fair and defuse much of the "problems"
we have with DNS and its control (ICANN).

- The IETF abhors liability. However, its actions have defined the DNS,
its flaws, helped shape ICANN, its flaws, and are now trying to shape IP,
and its flaws.  It is time we all think a bit about the highly leveraged game
being played here, with near 800 million Internet users.  MIME's rule of
requiring the least and accepting the most is the best impedance matching
rule we can have, IMO, to allow different systems to interface.

Cheers,

Ed Gerck

Re: Number of Firewall/NAT Users

[Stephen Kent]

Ed,

>
>
>Perhaps we agree that DNS names depend on IP numbers as part of their trusted
>context, but IP numbers do not depend on DNS names.
>
>However, certain design choices in the evolution of the DNS,
>since long ago, have made users fully dependent on the DNS for
>certain critical Internet services -- which choices further
>strengthened the position of DNS name registration as the single
>handle of information control in the Internet.  And, in a
>reverse argument, its single point of failure.

>Indeed, the DNS was never intended to be essential to the
>Internet, since all Internet hosts are accessible by their
>IP numbers alone -– however, those engineering choices in the
>design of the resource records and various e-mail protocols make
>it nowadays impossible for an average user to send or receive
>e-mail in the Internet without a DNS service.  In short, DNS names
>have become the addresses of mailboxes and the addresses of
>e-mail forwarders in MX resource records.  Or, you are required to
>have a matching reverse DNS that you do not have. Which is
>another misplaced requirement, since why should you trust a second
>query to a system you do not trust in the first place? This is also
>relevant in terms of failure and control analysis because the e-mail is
>by far, the most important application on the Internet for many users.

Prior to the existence of DNS, we relied on the hosts.txt file which 
was maintained at a central site and downloaded (typically daily) by 
all the hosts. There has long been a reliance on a name to address 
translation facility because addresses are unacceptable as human user 
inputs to applications and because network management requires an 
ability to change the address of a host.  (In the ARPANET days, the 
host addresses were derived from IMP port numbers, so any move of a 
host from one port to another, e.g., due to a local hardware or comm 
line failure, required changing the address of the host.) So I can't 
agree with your assertion that the DNS (or an equivalent name to 
address mapping service) was never intended to be essential to the 
Internet

>Further, by placing the decisions of network address assignment
>(IP numbers) together with DNS matters under the ruling of one
>private policy-setting company (ICANN), we see another example
>of uniting and making all depend on what is, by design, separate.
>The needs of network traffic (IP) are independent of the needs
>of user services (DNS). They also serve different goals, and
>different customers. One is a pre-defined address space which
>can be bulk-assigned and even bulk-owned (you may own the right to
>use one IP, but not the right to a particular IP), the other is
>a much larger and open-ended name space which cannot be either
>bulk-assigned or bulk-owned. They do not belong together.

They are separated one level down from ICANN, where we have TLDs for 
names that are distinct from regional registries for addresses and 
other numbers. Having one group coordinate these two distinct 
assignment activities offers benefits, since both need some central 
management authority, as well as drawing criticism.

Steve

Re: Again: Number of Firewall/NAT Users

[Brian E Carpenter]

Sure. Business users are my 40% handwave - I'm assuming they are all behind
firewalls, and many of them behind NAT. It doesn't surprise me that SMBs
are (almost) all behind NAT.

  Brian 

David Higginbotham wrote:
> 
> just a brief review of local administrator peers at small and medium
> business (+/- 10 admin's/business, avg 25 to hosts per/ea) is 100% with
> 'always on' connectivity behind firewall and NAT. very small sample but 100%
> is significant
> David H
> 
> -Original Message-
> From: Brian E Carpenter [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, January 23, 2001 3:10 PM
> To: Paul Hoffman / IMC
> Cc: Frank Solensky; Jiri Kuthan; [EMAIL PROTECTED]
> Subject: Re: Again: Number of Firewall/NAT Users
> 
> Exactly. More or less by definition, since NATs and firewalls hide
> stuff, we can't possibly measure the stuff they hide.
> And since they are hiding stuff for good reason, administrators
> more or less by definition will not answer accurately. So it can't
> be measured.
> 
> My hand waving estimate is that 40% (160M) of users are behind a firewall
> and/or NAT, 50% (200M) on dial-up, and 10% (40M) have direct always-on
> access.
> But there is no way I can justify these numbers.
> 
>   Brian
> 
> Paul Hoffman / IMC wrote:
> >
> > At 12:10 PM -0500 1/23/01, Frank Solensky wrote:
> > >One could ask a sample of administrators and extrapolate the results
> > >but, again, the problem becomes how confident you could be of the
> > >results if you don't get a very significant response rate
> >
> > The problem is *much* worse than that. You have to be confident that
> > your sampling method actually reflects enough of the Internet to be
> > valid. Determining how you have reached a valid sample of
> > administrators would be an interesting problem. Further, it is safe
> > to assume that administrators for the largest networks are the least
> > likely to reply, or to reply accurately.
> >
> > And then there is the problem of assuming that they understand your
> > question, and can even count the systems on their networks well
> > enough to answer accurately...
> >
> > --Paul Hoffman, Director
> > --Internet Mail Consortium

Re: Number of Firewall/NAT Users

[Keith Moore]

Ed,

without getting too long-winded

- I think you're overstating the degree to which the Internet
  protocols depend on DNS (with the notable exception of NATs 
  that use DNS ALG to fake things out).  Users who aren't 
  behind NATs can still use IP addresses directly if they want to,
  and more importantly, so can their applications.

  Sending email to moore@[128.169.94.1] works just fine, and has
  worked just fine for at least 14 years.

- The flaws in DNS notwithstanding, I think you're grossly 
  understating the tremendous advantage that DNS brings to the 
  Internet.  Name-to-address mapping (via HOSTS.TXT and other
  schemes) was regarded as an essential service even before DNS;
  DNS made the job a lot more managable and has survived, what - 
  four to five orders of magnitude of growth in Internet user 
  population?  Without DNS or something like it, the Internet 
  would never have been anywhere nearly this successful.

- A service that maps names of distant resources to addresses 
  is not a local problem by any stretch of the imagination.

- I agree that the Internet architecture should not depend on DNS,
  but that doesn't mean that DNS is not an essential service.
  We might disagree about the reasons that the architecture should
  not depend on DNS - I would say that we need to be able to build
  other name lookup services that work alongside DNS (rather than 
  having to go through the existing DNS protocol) either because
  they are providing a very different service or because we might
  want to replace DNS someday.  And appliations which don't work well 
  through DNS due to performance reasons should not be constrained to 
  have to use it.

- You're grossly overstating ICANN's authority or responsibility
  in either DNS name or IP address assignment, and also the degree 
  to which IETF was able to influence the structure of ICANN.

Keith

Re: Number of Firewall/NAT Users

[Ed Gerck]

Keith Moore wrote:

> > > But you missed the point I was trying to make. in those days, the inability
> > > of the mail network (or at least parts of it) to support a single global
> > > address space was correctly recognized as a deficiency in the network -
> > > and people took action to solve the problem (notably deployng MX records).
> >
> > Which broke DNS.  We can no longer send an email to an IP number, mainly
> > due to this myopic choice.  This choice also broke layer independency.
>
> What the heck are you talking about?  Sending email to an IP address never
> was deprecated, and still works just fine...

Perhaps we agree that DNS names depend on IP numbers as part of their trusted
context, but IP numbers do not depend on DNS names.

However, certain design choices in the evolution of the DNS,
since long ago, have made users fully dependent on the DNS for
certain critical Internet services -- which choices further
strengthened the position of DNS name registration as the single
handle of information control in the Internet.  And, in a
reverse argument, its single point of failure.

Indeed, the DNS was never intended to be essential to the
Internet, since all Internet hosts are accessible by their
IP numbers alone -– however, those engineering choices in the
design of the resource records and various e-mail protocols make
it nowadays impossible for an average user to send or receive
e-mail in the Internet without a DNS service.  In short, DNS names
have become the addresses of mailboxes and the addresses of
e-mail forwarders in MX resource records.  Or, you are required to
have a matching reverse DNS that you do not have. Which is
another misplaced requirement, since why should you trust a second
query to a system you do not trust in the first place? This is also
relevant in terms of failure and control analysis because the e-mail is
by far, the most important application on the Internet for many users.

Thus, contrary to usual folklore in the Internet, the DNS is
nowadays essential to Internet usage -- as anyone can verify
simply by trying to send an email to an IP number.

Further, by placing the decisions of network address assignment
(IP numbers) together with DNS matters under the ruling of one
private policy-setting company (ICANN), we see another example
of uniting and making all depend on what is, by design, separate.
The needs of network traffic (IP) are independent of the needs
of user services (DNS). They also serve different goals, and
different customers. One is a pre-defined address space which
can be bulk-assigned and even bulk-owned (you may own the right to
use one IP, but not the right to a particular IP), the other is
a much larger and open-ended name space which cannot be either
bulk-assigned or bulk-owned. They do not belong together.

BTW, these were all decisions that the IETF helped put in place.
But, are they helpful?  I don't think so and I suggest you question
yourself based on what we see today.  While they may seem difficult
to change (ICANN?), at least they may show us what not to repeat
with IPv6 for example -- the syndrome of seeking a global solution to
local problems.


> > It is time IMO for some at the IETF to stop pretending that the Internet
> > can made into a homogeneous network.
>
> The Internet never has been homogeneous, and I don't know anyone who
> has been around IETF very long who pretends that it is.  It has always,
> however, had some minimum standards for addressing and message format
> which not only allowed consenting folks to choose whatever other
> protocols and applications that they wanted to run, and allowed the
> same host and application software to be reused from anywhere in the
> network, and to reach well-known services from anywhere in the network.

Yes.

> But take away that little bit of uniformity - really the minimum necessary -
> and all bets are off.  People who use NATs - especially those using them
> on a large scale - are discovering this the hard way.

This is where we disagree. These people are having the best time and making
the most out of *their* networks.  They would be worse without NATs.

> > Cooperation is not a bunch of people doing the same things at the same
> > time, but different people doing different things at different times and
> > places, for the same objective. Likewise, standardization is not
> > having the same rules for all at all places but having different rules that
> > interoperate for the same objective.
>
> The whole point of the Internet has always been to allow folks to run
> any of a wide variety of networked applications they wanted to run.

Not only applications, but also protocols.

> IP is fundamentally designed to give the maximum utility and flexibility
> with a minimum of constraints on the networks and hosts supporting it.

Yes, but why constrain it to IPv6?  It can -- and should -- interoperate with
IPv4.  And NATs may help there as well, not just with IPv4.

> By contrast, while fol

Re: Number of Firewall/NAT Users

[ned . freed]

> > There was even an analogy to NAT's "addresses embedded in the application data
> > stream" problem: if you had an address in your .signature, the gateway couldn't
> > translate it, so the person receiving your message saw an address they couldn't
> > use.

> I liked even better the horror story of the gateway that tried.

> until someone wrote "this gateway translates [EMAIL PROTECTED] into
> [EMAIL PROTECTED]", and it came out to the recipient as
> "this gateway translates [EMAIL PROTECTED] into
> [EMAIL PROTECTED]".which somehow failed to get the point
> across

I've actually seen this happen. Mail system configuration files sent to us from
behind such a gateway were curiously corrupt when they reached us, and when we
fixed them and sent them back the errors were in what was received... Turned
out that someone took the corporate mandate to "remove all references to our
old name" a bit too seriously.

If memory serves, we used ROT13 to get around the translation, since
administrative turfs were such that an actual fix for the problem wasn't
possible.

Ned

RE: Again: Number of Firewall/NAT Users

[David Higginbotham]

just a brief review of local administrator peers at small and medium
business (+/- 10 admin's/business, avg 25 to hosts per/ea) is 100% with
'always on' connectivity behind firewall and NAT. very small sample but 100%
is significant
David H

-Original Message-
From: Brian E Carpenter [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, January 23, 2001 3:10 PM
To: Paul Hoffman / IMC
Cc: Frank Solensky; Jiri Kuthan; [EMAIL PROTECTED]
Subject: Re: Again: Number of Firewall/NAT Users


Exactly. More or less by definition, since NATs and firewalls hide
stuff, we can't possibly measure the stuff they hide.
And since they are hiding stuff for good reason, administrators
more or less by definition will not answer accurately. So it can't
be measured.

My hand waving estimate is that 40% (160M) of users are behind a firewall
and/or NAT, 50% (200M) on dial-up, and 10% (40M) have direct always-on
access.
But there is no way I can justify these numbers.

  Brian

Paul Hoffman / IMC wrote:
>
> At 12:10 PM -0500 1/23/01, Frank Solensky wrote:
> >One could ask a sample of administrators and extrapolate the results
> >but, again, the problem becomes how confident you could be of the
> >results if you don't get a very significant response rate
>
> The problem is *much* worse than that. You have to be confident that
> your sampling method actually reflects enough of the Internet to be
> valid. Determining how you have reached a valid sample of
> administrators would be an interesting problem. Further, it is safe
> to assume that administrators for the largest networks are the least
> likely to reply, or to reply accurately.
>
> And then there is the problem of assuming that they understand your
> question, and can even count the systems on their networks well
> enough to answer accurately...
>
> --Paul Hoffman, Director
> --Internet Mail Consortium

Re: Again: Number of Firewall/NAT Users

[Brian E Carpenter]

Exactly. More or less by definition, since NATs and firewalls hide
stuff, we can't possibly measure the stuff they hide.
And since they are hiding stuff for good reason, administrators
more or less by definition will not answer accurately. So it can't
be measured.

My hand waving estimate is that 40% (160M) of users are behind a firewall
and/or NAT, 50% (200M) on dial-up, and 10% (40M) have direct always-on access.
But there is no way I can justify these numbers.

  Brian

Paul Hoffman / IMC wrote:
> 
> At 12:10 PM -0500 1/23/01, Frank Solensky wrote:
> >One could ask a sample of administrators and extrapolate the results
> >but, again, the problem becomes how confident you could be of the
> >results if you don't get a very significant response rate
> 
> The problem is *much* worse than that. You have to be confident that
> your sampling method actually reflects enough of the Internet to be
> valid. Determining how you have reached a valid sample of
> administrators would be an interesting problem. Further, it is safe
> to assume that administrators for the largest networks are the least
> likely to reply, or to reply accurately.
> 
> And then there is the problem of assuming that they understand your
> question, and can even count the systems on their networks well
> enough to answer accurately...
> 
> --Paul Hoffman, Director
> --Internet Mail Consortium

Re: Again: Number of Firewall/NAT Users

[Paul Hoffman / IMC]

At 12:10 PM -0500 1/23/01, Frank Solensky wrote:
>One could ask a sample of administrators and extrapolate the results
>but, again, the problem becomes how confident you could be of the
>results if you don't get a very significant response rate

The problem is *much* worse than that. You have to be confident that 
your sampling method actually reflects enough of the Internet to be 
valid. Determining how you have reached a valid sample of 
administrators would be an interesting problem. Further, it is safe 
to assume that administrators for the largest networks are the least 
likely to reply, or to reply accurately.

And then there is the problem of assuming that they understand your 
question, and can even count the systems on their networks well 
enough to answer accurately...

--Paul Hoffman, Director
--Internet Mail Consortium

Re: Again: Number of Firewall/NAT Users

[Frank Solensky]

Jiri Kuthan wrote:
> 
> Hello,
> 
> as the discussion departed from my original question to
> the favorite discussion on NAT/ipv6/etc architectural issues,
> I would like to re-raise the question:
> 
> "is anyone aware of any estimations of fraction of Internet users
> who are behind firewalls and NATs?"

Before it goes off into DNS name administration:

None that I've heard of.  From the perspective of those inside the NAT
firewall, the fact that outside world can't tell the size of the hidden
network is an advantage.

One could ask a sample of administrators and extrapolate the results
but, again, the problem becomes how confident you could be of the
results if you don't get a very significant response rate  (I tried
something like this a number of years ago when attempting to estimate
the proportion of assigned IPv4 addresses were actually being used:
expect a healthy degree of skepticism if the queries are coming out of
the blue).

Even if that were possible or in a world without NATs, though: are you
assuming a 1:1 mapping between IP addresses and 'users'?  Between
mainframes in one direction and folks surrounded by multiple machines in
the other, which way do you go?  Is there a 'user' associated with a web
server; if so, what if you've got a load balancer in front?

-- Frank

Again: Number of Firewall/NAT Users

[Jiri Kuthan]

Hello,

as the discussion departed from my original question to
the favorite discussion on NAT/ipv6/etc architectural issues,
I would like to re-raise the question:

"is anyone aware of any estimations of fraction of Internet users
who are behind firewalls and NATs?"

Thanks,

Jiri

Re: Number of Firewall/NAT Users

[Jon Crowcroft]

o'dell's GSE draft addressed renumbering perfectly.

In message <5.0.2.1.2.20010123015631.02bbba30@localhost>, "David R. Conrad" typ
ed:

 >>Kyle,
 >>
 >>At 03:53 AM 1/23/2001 -0500, Kyle Lussier wrote:
 >>>It is a horried idea to start setting up NATs on cell phones,
 >>
 >>Hmm.  We should probably tell that to the existing 17+ million users of 
 >>i-Mode in Japan.  Better hurry as i-Mode is moving into Europe.
 >>
 >>>(I liked the ip addressible coffee machine I saw that you could
 >>>telnet into).  Do you really want to put and configure a NAT in
 >>>your coffee maker?
 >>
 >>I would imagine that you'd have a household gateway/NAT, not a NAT on every 
 >>device in your household (and I'd argue if you have to configure anything 
 >>network related on your coffee maker other than perhaps its name, something 
 >>is seriously wrong).
 >>
 >>>As the pain of limited IP address space tightens we'll move more
 >>>and more to IPv6 and it'll level itself out.
 >>
 >>IPv6 is not a magic wand.  Because v6 uses provider based addressing, 
 >>non-transit providers will still need to renumber in v6 as they do in 
 >>v4.  Renumbering can be expensive.  NATs are seen by many enterprises as a 
 >>way of removing the need to renumber should they change providers.  Until 
 >>the issue of renumbering is addressed, NATs will not go away.
 >>
 >>Rgds,
 >>-drc
 >>

 cheers

   jon

RE: Number of Firewall/NAT Users

[David R. Conrad]

Kyle,

At 03:53 AM 1/23/2001 -0500, Kyle Lussier wrote:
>It is a horried idea to start setting up NATs on cell phones,

Hmm.  We should probably tell that to the existing 17+ million users of 
i-Mode in Japan.  Better hurry as i-Mode is moving into Europe.

>(I liked the ip addressible coffee machine I saw that you could
>telnet into).  Do you really want to put and configure a NAT in
>your coffee maker?

I would imagine that you'd have a household gateway/NAT, not a NAT on every 
device in your household (and I'd argue if you have to configure anything 
network related on your coffee maker other than perhaps its name, something 
is seriously wrong).

>As the pain of limited IP address space tightens we'll move more
>and more to IPv6 and it'll level itself out.

IPv6 is not a magic wand.  Because v6 uses provider based addressing, 
non-transit providers will still need to renumber in v6 as they do in 
v4.  Renumbering can be expensive.  NATs are seen by many enterprises as a 
way of removing the need to renumber should they change providers.  Until 
the issue of renumbering is addressed, NATs will not go away.

Rgds,
-drc

RE: Number of Firewall/NAT Users

[Kyle Lussier]

> It is time IMO for some at the IETF to stop pretending that the 
> Internet can made into a
> homogeneous network.  It wasn't and it won't.  

Ip address space will continues to tighten, exponentially increasing
the pain of dealing with such a small number of IPs.  Then throw 200 
million cell phones with their own IP, and you network everything 
in your house, plus all the PDA's and other gadgets coming.

It is a horried idea to start setting up NATs on cell phones,
on PDA's and only god knows what else we be plugged into the net
(I liked the ip addressible coffee machine I saw that you could
telnet into).  Do you really want to put and configure a NAT in 
your coffee maker?

As the pain of limited IP address space tightens we'll move more
and more to IPv6 and it'll level itself out.  While NATs *work*
they are horribly inelegant.  I'm very much reminded of the days
when there was a PC limit of 640k RAM, and the manufacturers
places all the video RAM and support stuff above 640k because
"no one would ever need it".  This caused huge problems for
years and years as we all fought to get back to an open address
space... if then...we had only just invested in a good design.

As the pain of limited IP space increases, so shall we switch
and NAT's will someday be no more.

The question is, how much will we inflict upon ourselves in the
pursuit of making NAT's work?  I hope this time around we
fix the problem earlier

Kyle Lussier
www.AutoNOC.com

Re: Number of Firewall/NAT Users

[Keith Moore]

> > But you missed the point I was trying to make. in those days, the inability
> > of the mail network (or at least parts of it) to support a single global
> > address space was correctly recognized as a deficiency in the network -
> > and people took action to solve the problem (notably deployng MX records).
> 
> Which broke DNS.  We can no longer send an email to an IP number, mainly
> due to this myopic choice.  This choice also broke layer independency.

What the heck are you talking about?  Sending email to an IP address never 
was deprecated, and still works just fine...  not that it is now or ever 
was widely used.  Sending mail to domains with only A records works just 
fine also.  Folks who have native IP connectivity and don't want to set 
up MX records don't have to do so for their servers. 

There was a switch from HOSTS.TXT to DNS, but this had nothing to do with
MX records.  And not many people miss the days when everybody needed
to be in the HOSTS.TXT file in order to receive mail reliably.

Yes there are broken implementations that cannot send mail to IP addresses,
and cannot send mail to domains without an MX record.  But they are quite
clearly broken, and this is clear from both RFC 974 and the recent revision
to RFC 821/974 that is now in the RFC Editor's queue.  Don't confuse
broken implementations with bad design decisions.  

> It is time IMO for some at the IETF to stop pretending that the Internet 
> can made into a homogeneous network.  

The Internet never has been homogeneous, and I don't know anyone who
has been around IETF very long who pretends that it is.  It has always, 
however, had some minimum standards for addressing and message format 
which not only allowed consenting folks to choose whatever other 
protocols and applications that they wanted to run, and allowed the 
same host and application software to be reused from anywhere in the 
network, and to reach well-known services from anywhere in the network.  

But take away that little bit of uniformity - really the minimum necessary -
and all bets are off.  People who use NATs - especially those using them
on a large scale - are discovering this the hard way.

> Cooperation is not a bunch of people doing the same things at the same 
> time, but different people doing different things at different times and 
> places, for the same objective. Likewise, standardization is not
> having the same rules for all at all places but having different rules that
> interoperate for the same objective.

The whole point of the Internet has always been to allow folks to run
any of a wide variety of networked applications they wanted to run.  
IP is fundamentally designed to give the maximum utility and flexibility
with a minimum of constraints on the networks and hosts supporting it.

By contrast, while folks can clearly do whatever they like with their 
own networks, folks that put NATs on their networks are limiting the 
set of applications that they can run.  Now maybe you're right that 
the existence of NATs is just another example of people doing what 
they like with their networks - just as they always have.  Maybe NATs
are the Internet's adolescence.  But just like adolescents don't always 
understand the consequences of their actions, neither do the folks who 
install NATs on their networks.

IETF cannot compel people to stop using NATs, and it shouldn't try.
But it can and should develop solutions to the problems that NATs 
purport to solve, which work better than NAT.

Re: Number of Firewall/NAT Users

[Ed Gerck]

Keith Moore wrote:

> > | at least in those days, gateway proponents didn't insist that people
> > | shouldn't include email addresses in the bodies of their messages.
> >
> > You miss the point that including "GRECO::MARYK" as an email address
> > in a USENET message is about as useful as including 10.0.0.26 in an
> > IP header -- the local meaning is essentially unusable to a non-local
> > recipient.
>
> Actually it was sort of useful, if you knew how to translate.
> (or could find a local mail expert that did)
>
> But you missed the point I was trying to make. in those days, the inability
> of the mail network (or at least parts of it) to support a single global
> address space was correctly recognized as a deficiency in the network -
> and people took action to solve the problem (notably deployng MX records).

Which broke DNS.  We can no longer send an email to an IP number, mainly
due to this myopic choice.  This choice also broke layer independency.

So, even though there is no reason why one needs to use DNS in order to send
an email, people must use it nowadays for this purpose.  What was a convenience
became a limitation because of a bad design choice in MX records.  So much for
a "single global address space" that does not respect local flexibility.

NAT boxes are thus just IMO a healthy rebound of the very principles that created
the Internet -- and we must be careful, otherwise pretty soon we are going to have
other things to "solve the problem" (notably as it happened with MX records).

It is time IMO for some at the IETF to stop pretending that the Internet can made into 
a
homogeneous network.  It wasn't and it won't.  Cooperation is not a bunch of people
doing the same things at the same time, but different people doing different things
at different times and places, for the same objective. Likewise, standardization is not
having the same rules for all at all places but having different rules that 
interoperate
for the same objective.

Interoperation should be the defining factor for an Internet standard, and the same
applies to NAT boxes.  If they interoperate, what else should be required?  Nothing.

Cheers,

Ed Gerck

Re: Number of Firewall/NAT Users

[Keith Moore]

> | Nowadays people often act as if NATs were the way the Internet was supposed
> | to work, and that it's the applications and the users of those applications
> | who are broken if they want a network that supports a global address space.
> 
> Well, the genie is out of the bottle, and if NAT is winning the
> fight against NAT-hostile applications, I'd think that applications
> writers would be better off taking the existence of NAT into account,
> no matter what their NAT politics are.

If you can make your application work as well or nearly as well in
the presense of NATs, you'd be silly not to take the existence of
NAT into account.  However this isn't always feasible.

> If a compelling application comes along that is NAT-hostile, that
> will be interesting, 

Several of them already exist, and it is indeed "interesting"...
in the sense of the "may you live in interesting times" curse.

> but I can't imagine it's in anyone's interest
> to provoke such a conflict when there are well-known NAT-friendly
> ways of replacing embedded IP addresses in most higher-level protocols
> that use them...

First of all, this is so off the mark as to be completely false.  
Second, you're grossly understating the nature of the NAT problem, 
because inability to embed IP addresses are only one facet of that 
problem.

Look at http://www.cs.utk.edu/~moore/what-nats-break.html

> For those that are unremittingly unable to use things like the DNS,
> perhaps the NSRG will cough up an RFC-822 someday soon, and that will
> let you sleep better at night.  :-)

I'm on NSRG, and that's not what it's working on.
And RFC 822 for networks already exists; it's called IP.

> | Now you're suggesting that we need yet another layer, presumably something
> | that runs over NATs.
> 
> No, something that runs over a catenet of every conceivable type of
> network, including ones which are IP or v6 based.  

To do that you would need yet another name space, and while it might
be useful to separate endpoint names from names for attachment points 
in the network topology, you would still need efficient ways to map
between the two...and DNS-like technology isn't even close to being 
adequate.

> Why should you care
> whether routers are making decisions based on tags, 32-bit addresses,
> 128-bit addresses (or only 64 bits of a 128 bit address), or
> fully variable-length addresses, or even whether some routers along
> the way are using one of these and other routers are doing something
> completely different?  

As an application writer, I don't care so much (though it is sometimes
useful for applications to be able to know about the network topology).

However, as a network administrator, I absolutely want to be able to set 
up my own links between arbitrary points in the network, and having
a variety of network-layer protocols (as opposed to a variety of 
link-layer protocols) doesn't help that in the least.  

What you are proposing sounds like a useless extra layer.  We've already
solved that problem with IP; we don't need to solve it again to try to
accomodate an arbitrary number of network-layer protocols.

> Surely you're happy as long as your TCP segment
> or UDP datagram gets to the right host with a destination address
> which can be used to get a TCP segment or UDP datagram back to you?

No, that's not even close to enough to support distributed applications.  
I also need a global address space, at least from the application's
point of view...and for various reasons applications often need to be 
able to look into the network topology (think logging, and diagnostics,
in addition to location-sensitive selection of resources).

Keith

Re: Number of Firewall/NAT Users

[Valdis . Kletnieks]

On Tue, 23 Jan 2001 01:11:12 +0100, Harald Alvestrand <[EMAIL PROTECTED]>  said:
> I liked even better the horror story of the gateway that tried.
> until someone wrote "this gateway translates [EMAIL PROTECTED] into 
> [EMAIL PROTECTED]", and it came out to the recipient as
> "this gateway translates [EMAIL PROTECTED] into 
> [EMAIL PROTECTED]".which somehow failed to get the point 
> across

The best one-paragraph summary of RFC2993 I've seen yet.

/V

Re: Number of Firewall/NAT Users

[Harald Alvestrand]

At 12:42 22/01/2001 -0500, John Stracke wrote:
>There was even an analogy to NAT's "addresses embedded in the application data
>stream" problem: if you had an address in your .signature, the gateway 
>couldn't
>translate it, so the person receiving your message saw an address they 
>couldn't
>use.

I liked even better the horror story of the gateway that tried.
until someone wrote "this gateway translates [EMAIL PROTECTED] into 
[EMAIL PROTECTED]", and it came out to the recipient as
"this gateway translates [EMAIL PROTECTED] into 
[EMAIL PROTECTED]".which somehow failed to get the point 
across

--
Harald Tveit Alvestrand, [EMAIL PROTECTED]
+47 41 44 29 94
Personal email: [EMAIL PROTECTED]

Re: Number of Firewall/NAT Users

[Sean Doran]

| Nowadays people often act as if NATs were the way the Internet was supposed 
| to work, and that it's the applications and the users of those applications 
| who are broken if they want a network that supports a global address space.

Well, the genie is out of the bottle, and if NAT is winning the
fight against NAT-hostile applications, I'd think that applications
writers would be better off taking the existence of NAT into account,
no matter what their NAT politics are.

If a compelling application comes along that is NAT-hostile, that
will be interesting, but I can't imagine it's in anyone's interest
to provoke such a conflict when there are well-known NAT-friendly 
ways of replacing embedded IP addresses in most higher-level protocols
that use them...

For those that are unremittingly unable to use things like the DNS,
perhaps the NSRG will cough up an RFC-822 someday soon, and that will
let you sleep better at night.  :-)

| Now you're suggesting that we need yet another layer, presumably something
| that runs over NATs. 

No, something that runs over a catenet of every conceivable type of
network, including ones which are IP or v6 based.  Why should you care
whether routers are making decisions based on tags, 32-bit addresses,
128-bit addresses (or only 64 bits of a 128 bit address), or 
fully variable-length addresses, or even whether some routers along
the way are using one of these and other routers are doing something
completely different?  Surely you're happy as long as your TCP segment
or UDP datagram gets to the right host with a destination address
which can be used to get a TCP segment or UDP datagram back to you?

IPv4ever ultimately is a UNI philosophy; the NNI is totally up in the air.
For now, it's pretty clearly IPv4.

Sean.

Re: Number of Firewall/NAT Users

[Sean Doran]

Valdis Kletnieks writes:

| On Mon, 22 Jan 2001 23:53:30 +0100, Sean Doran said:
| > Nobody really constrains protocols from carrying a local IP address
| > around any more than anyone constrains from putting local addresses
| > into a text message.  It's just that communicating by naively replying
| > to such an embedded address is unlikely to work.
|
| The problem with NAT is the same problem as people who put locally usable
| addresses in their .signature files - the NAT *doesnt* fix those up when
| it becomes a non-local address BY VIRTUE OF PASSING THROUGH THE NAT.

Is it just me, or do these two message fragments have identical semantics?

If so, I'm having major trouble with the idea of constraining something
by letting it pass through in an un-rewritten form...

Maybe the problem here is that "protocols" is too large; I meant things
that ride around as a client of the IP network layer.

In any event, the solution is a standard representation of "who" that
is readily convertible into "where" in many different types of transport
networks.  IP addresses no longer qualify on that front, no matter what
your NAT politics are like.

Sean.

Re: Number of Firewall/NAT Users

[Valdis . Kletnieks]

On Mon, 22 Jan 2001 23:53:30 +0100, Sean Doran said:
> Nobody really constrains protocols from carrying a local IP address
> around any more than anyone constrains from putting local addresses
> into a text message.   It's just that communicating by naively replying
> to such an embedded address is unlikely to work.

Actually, NAT *does* constrain protocols from carrying around a local
IP address if it's emitted out into the world.  Remember that if it's
a LOCAL address, it's used *only* behind the NAT, and nobody cares about
that case.

The problem with NAT is the same problem as people who put locally usable
addresses in their .signature files - the NAT *doesnt* fix those up when
it becomes a non-local address BY VIRTUE OF PASSING THROUGH THE NAT.
-- 
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech



 PGP signature

Re: Number of Firewall/NAT Users

[Keith Moore]

> | at least in those days, gateway proponents didn't insist that people
> | shouldn't include email addresses in the bodies of their messages.
> 
> You miss the point that including "GRECO::MARYK" as an email address
> in a USENET message is about as useful as including 10.0.0.26 in an
> IP header -- the local meaning is essentially unusable to a non-local 
> recipient.

Actually it was sort of useful, if you knew how to translate.
(or could find a local mail expert that did)
  
But you missed the point I was trying to make. in those days, the inability 
of the mail network (or at least parts of it) to support a single global 
address space was correctly recognized as a deficiency in the network - 
and people took action to solve the problem (notably deployng MX records).

Nowadays people often act as if NATs were the way the Internet was supposed 
to work, and that it's the applications and the users of those applications 
who are broken if they want a network that supports a global address space.
Actually it's the other way around, and people are taking action to 
increase the brokenness.

> RFC-822 was a great leap forward for embedding a global namespace into
> text messages, and I am pleased to say that even my own RFC-822 address
> works fine at UKY, despite my NAT stance. :-)

Yes, and IP was a great leap forward for having a singal global namespace
and a single message format to send over all manner of transmission media.
It worked quite well at this until NATs came along.  

Now you're suggesting that we need yet another layer, presumably something
that runs over NATs.  Given the current state of NAT deployment, it's hard 
to fault that reasoning.  But it really does seem that we've solved that 
problem before, and to solve it again in a less efficient way seems like 
taking one tiny step forward to try to counteract a huge step backward.

Keith

Re: Number of Firewall/NAT Users

[Sean Doran]

Keith Moore writes:

| at least in those days, gateway proponents didn't insist that people
| shouldn't include email addresses in the bodies of their messages.

You miss the point that including "GRECO::MARYK" as an email address
in a USENET message is about as useful as including 10.0.0.26 in an
IP header -- the local meaning is essentially unusable to a non-local 
recipient.

Nobody really constrains protocols from carrying a local IP address
around any more than anyone constrains from putting local addresses
into a text message.   It's just that communicating by naively replying
to such an embedded address is unlikely to work.

RFC-822 was a great leap forward for embedding a global namespace into
text messages, and I am pleased to say that even my own RFC-822 address
works fine at UKY, despite my NAT stance. :-)

There needs to be an RFC-822 for identifying IP-packet-receivers independtly
from actual network topology analogous to the way that identified mailboxes
independtly from actual network topology (hey, consider that you even
may have had your mail cross different types of small-i internet when
sending mail to places like [EMAIL PROTECTED]!).

Sean.

Re: Number of Firewall/NAT Users

[Keith Moore]

> > I remember when the email
> > network was a heterogeneous network consisting of UUCP, BITNET, DECnet,
> > SMTP, X.400, and a few other things thrown in.  It "worked", sort of,
> > but we had all kinds of problems with the translations at the boundaries,
> > with addresses from one network leaking past the gateways into another
> > network, with addresses being "translated" in such a way that they
> > were no longer usable in the destination network.
> 
> There was even an analogy to NAT's "addresses embedded in the application 
> data stream" problem: if you had an address in your .signature, the gateway
> couldn't translate it, so the person receiving your message saw an address 
> they couldn't use.

at least in those days, gateway proponents didn't insist that people
shouldn't include email addresses in the bodies of their messages.

Keith

Re: Number of Firewall/NAT Users

[Matt Holdrege]

At 08:53 AM 1/22/2001, Henning G. Schulzrinne wrote:
>Brian E Carpenter wrote:
> > The ISOC isn't a trade association, which is where such seals
> > of approval (and the associated b*ke-offs) tend to come from.
>
>Maybe the IPv6 consortium or whatever they call themselves could do
>this, since IPv6 is a (the only?) realistic alternative to NATs.

Long term, yes. But Class A addresses for all the always-on users today 
would eliminate a heck of a lot of NAT out there. And I wasn't referring to 
a "seal-of-approval". Just some sort of formal recognition.

Re: Number of Firewall/NAT Users

[John Stracke]

Keith Moore wrote:

> I remember when the email
> network was a heterogeneous network consisting of UUCP, BITNET, DECnet,
> SMTP, X.400, and a few other things thrown in.  It "worked", sort of,
> but we had all kinds of problems with the translations at the boundaries,
> with addresses from one network leaking past the gateways into another
> network, with addresses being "translated" in such a way that they
> were no longer usable in the destination network.

There was even an analogy to NAT's "addresses embedded in the application data
stream" problem: if you had an address in your .signature, the gateway couldn't
translate it, so the person receiving your message saw an address they couldn't
use.

--
/\
|John Stracke| http://www.ecal.com |My opinions are my own.  |
|Chief Scientist |===|
|eCal Corp.  |Go not to the Vorlons for advice, for they will|
|[EMAIL PROTECTED]|say both no and sherbert.  |
\/

Re: Number of Firewall/NAT Users

[Henning G. Schulzrinne]

Brian E Carpenter wrote:
> 

> > - without "transparent" caches
> 
> Do you mean interception proxies, in WREC terminology?

Yes.

> 
> > - no port restrictions
> 
> And no protocol type restrictions
> 
> > - no NATs
> 
> How about adding IPv6 support?

Good idea.

> >
> > (and whatever other abominations one might want to add to this list).
> > Seems like a good role for ISOC, for example :-)
> 
> The ISOC isn't a trade association, which is where such seals
> of approval (and the associated b*ke-offs) tend to come from.

Maybe the IPv6 consortium or whatever they call themselves could do
this, since IPv6 is a (the only?) realistic alternative to NATs.

-- 
Henning Schulzrinne   http://www.cs.columbia.edu/~hgs

Re: Number of Firewall/NAT Users

[Brian E Carpenter]

Henning Schulzrinne wrote:
...
> However, I think it's high time to establish a "Good Housekeeping" seal
> for "real" (pure, unadultared, GM-free, ...) Internet service, i.e.,
> 
> - without "transparent" caches

Do you mean interception proxies, in WREC terminology? 

> - no port restrictions

And no protocol type restrictions

> - no NATs

How about adding IPv6 support?
> 
> (and whatever other abominations one might want to add to this list).
> Seems like a good role for ISOC, for example :-)

The ISOC isn't a trade association, which is where such seals
of approval (and the associated b*ke-offs) tend to come from.

Brian

Re: Number of Firewall/NAT Users

[Brian E Carpenter]

Keith Moore wrote:
> 
> > The IETF has done it's job with 6to4, but like you said we can't force
> > people to deploy it. But let's stop and think about 6to4. Aren't some of
> > the same "tricks" or ALG's that are planned to make applications work
> > with IPv4 NAT, applicable to 6to4? If so, then we must find solutions
> > now since 6to4 could be with us for many years.
> 
> Given that the whole point of 6to4 is to allow IPv6 packets to be
> passed end-to-end without modification, I don't see how ALGs apply at
> all. NAT-PT of course has similar issues to v4 NAT, but NAT-PT and
> 6to4 are different things.

Indeed. 6to4 is a solution for IPv6 islands to talk to other IPv6 islands.
No ALG issues at all. (The "to" represents the address mapping trick used.)

NAT-PT solves a different problem - how can IPv6-only devices communicate
with the IPv4 legacy? And that does call for ALG support.

   Brian

Re: Number of Firewall/NAT Users

[Daniel Senie]

Joel Jaeggli wrote:
> 
> you might check out the rather sprited discussion during the plenary at
> ietf49...
> 
> the official proceeding will be up shortly on the ietf website, video of
> the event is at:
> 
> http://videolab.uoregon.edu/events/ietf/ietf49.html

What can be heard on the audio (some of the question microphones were
not connected to the video capture system) showed a rather less
"spirited" discussion than I thought I'd find based on your message. I
took the opportunity to watch some of the presentations, which helped
provide context (especially Randy's presentation on DNS, and the
comments within on architectural restraint).

The "spirited discussion" consisted of a limited number of people saying
things that either they or others have said before. Perry, for example,
talked about the costs of multiple, overlapping NAT stuffs and the huge
amounts of money that's costing folks. He's made the same point in other
plenaries and in other meetings. What he said is certainly a problem,
and one we'd all like to see disappear. Keith expressed concern
(starting the discussion) that the IETF should be working on a better
architecture to deal with replacing NAT. To do so, we'd have to solve
the customer needs which are driving folks to NAT, of course.

So, in reviewing the video, I saw people generating plenty of heat, but
little light.

-- 
-
Daniel Senie[EMAIL PROTECTED]
Amaranth Networks Inc.http://www.amaranth.com

Re: Number of Firewall/NAT Users

[Jon Crowcroft]

In message <[EMAIL PROTECTED]>, Keith Moore typed:

 >>> The IETF has done it's job with 6to4, but like you said we can't force
 >>> people to deploy it. But let's stop and think about 6to4. Aren't some of
 >>> the same "tricks" or ALG's that are planned to make applications work 
 >>> with IPv4 NAT, applicable to 6to4? If so, then we must find solutions 
 >>> now since 6to4 could be with us for many years.

 >>Given that the whole point of 6to4 is to allow IPv6 packets to be
 >>passed end-to-end without modification, I don't see how ALGs apply at 
 >>all. NAT-PT of course has similar issues to v4 NAT, but NAT-PT and
 >>6to4 are different things.

Keith


2 ways forward are 

1/ what you propose - provide clean, alternate
complete solutions for today's ISPs - 6to4 is only part of a big
system deployment-  it would be nice to come up with smaller stageing
posts along the waysomething i've wondered about:

NAT is predicated at least partly on the observation that a lot of 
internet users don't appear to need to be "always on" 
(i.e. like temporal locality
(not spatial locality) of telephone nets,
there's a distribution of use and it means that we can get away with
far less address allocated than users.

  I would suggest that if an ISP asks for address space based on a
number of users but then uses NATs they are misrepresenting the
number of users and should be given less address space:-)
(i think this is doubly fair since they make less use of addreses, AND
less applications are able to run to and from their users)

2/ make a clear business for ISPs to offer NAT free access as a
competetive advantage

3/ here's a silly idea - take some of the address space and make it
client only. (i.e declare half the remaining address space to be
assymetric - truth in advertising...
since there's then no servers, you can use port expanders on the low
1024 bits of the tcp or udp port to get more addresses(yes, port
nats, but as part of the official address allocation plan...)

 cheers

   jon

Re: Number of Firewall/NAT Users

[Keith Moore]

> The IETF has done it's job with 6to4, but like you said we can't force
> people to deploy it. But let's stop and think about 6to4. Aren't some of
> the same "tricks" or ALG's that are planned to make applications work 
> with IPv4 NAT, applicable to 6to4? If so, then we must find solutions 
> now since 6to4 could be with us for many years.

Given that the whole point of 6to4 is to allow IPv6 packets to be
passed end-to-end without modification, I don't see how ALGs apply at 
all. NAT-PT of course has similar issues to v4 NAT, but NAT-PT and
6to4 are different things.

Keith

Re: Number of Firewall/NAT Users

[Matt Holdrege]

Perhaps there is a difference with the Nynex/BA side of Verizon and the GTE 
part. The GTE part uses 4.x.x.x which it got from a previous acquisition.

At 07:05 PM 1/21/2001, Henning Schulzrinne wrote:
>Before handing out awards: one of my colleagues here, living in
>Westchester County, got a nice 10.x.x.x address (net A alright...) and
>couldn't figure out why Exceed wasn't working.
>
>However, I think it's high time to establish a "Good Housekeeping" seal
>for "real" (pure, unadultared, GM-free, ...) Internet service, i.e.,
>
>- without "transparent" caches
>- no port restrictions
>- no NATs
>
>(and whatever other abominations one might want to add to this list).
>Seems like a good role for ISOC, for example :-)
>
>Matt Holdrege wrote:
> >
> > At 11:47 AM 1/21/2001, Daniel Senie wrote:
> > >[EMAIL PROTECTED] wrote:
> > >
> > > > Let's stamp out NAT, *now* - before it becomes too entrenched and 
> we can
> > > > never get rid of it.  We don't need that sort of "worked" again.
> > >
> > >Ummm, it's FAR too late for that. As for numbers of users, it's my guess
> > >a large percentage of the cable modem users and DSL users are running
> > >NAPT boxes.
> >
> > Speaking of DSL and NAT, I think we should give credit where credit is due
> > and thank Verizon for handing out public Class A addresses to their legions
> > of DSL users. If we credit them enough, three things may happen. First of
> > all they will stay with this scheme and never use NAT. Secondly other DSL
> > or cable providers may see the wisdom of this and do the same. Lastly
> > perhaps we can reallocate some Class A address space to the large always-on
> > providers who need it.
> >
> > I think the Internet Society ought to give them an award or something
> > (hint, hint).
> >
> > -
> > This message was passed through [EMAIL PROTECTED], which
> > is a sublist of [EMAIL PROTECTED] Not all messages are passed.
> > Decisions on what to pass are made solely by Harald Alvestrand.

Re: Number of Firewall/NAT Users

[Henning Schulzrinne]

Before handing out awards: one of my colleagues here, living in
Westchester County, got a nice 10.x.x.x address (net A alright...) and
couldn't figure out why Exceed wasn't working.

However, I think it's high time to establish a "Good Housekeeping" seal
for "real" (pure, unadultared, GM-free, ...) Internet service, i.e.,

- without "transparent" caches
- no port restrictions
- no NATs

(and whatever other abominations one might want to add to this list).
Seems like a good role for ISOC, for example :-)

Matt Holdrege wrote:
> 
> At 11:47 AM 1/21/2001, Daniel Senie wrote:
> >[EMAIL PROTECTED] wrote:
> >
> > > Let's stamp out NAT, *now* - before it becomes too entrenched and we can
> > > never get rid of it.  We don't need that sort of "worked" again.
> >
> >Ummm, it's FAR too late for that. As for numbers of users, it's my guess
> >a large percentage of the cable modem users and DSL users are running
> >NAPT boxes.
> 
> Speaking of DSL and NAT, I think we should give credit where credit is due
> and thank Verizon for handing out public Class A addresses to their legions
> of DSL users. If we credit them enough, three things may happen. First of
> all they will stay with this scheme and never use NAT. Secondly other DSL
> or cable providers may see the wisdom of this and do the same. Lastly
> perhaps we can reallocate some Class A address space to the large always-on
> providers who need it.
> 
> I think the Internet Society ought to give them an award or something
> (hint, hint).
> 
> -
> This message was passed through [EMAIL PROTECTED], which
> is a sublist of [EMAIL PROTECTED] Not all messages are passed.
> Decisions on what to pass are made solely by Harald Alvestrand.

Re: Number of Firewall/NAT Users

[Matt Holdrege]

At 11:47 AM 1/21/2001, Daniel Senie wrote:
>[EMAIL PROTECTED] wrote:
>
> > Let's stamp out NAT, *now* - before it becomes too entrenched and we can
> > never get rid of it.  We don't need that sort of "worked" again.
>
>Ummm, it's FAR too late for that. As for numbers of users, it's my guess
>a large percentage of the cable modem users and DSL users are running
>NAPT boxes.

Speaking of DSL and NAT, I think we should give credit where credit is due 
and thank Verizon for handing out public Class A addresses to their legions 
of DSL users. If we credit them enough, three things may happen. First of 
all they will stay with this scheme and never use NAT. Secondly other DSL 
or cable providers may see the wisdom of this and do the same. Lastly 
perhaps we can reallocate some Class A address space to the large always-on 
providers who need it.

I think the Internet Society ought to give them an award or something 
(hint, hint).

Re: Number of Firewall/NAT Users

[Matt Holdrege]

At 05:39 PM 1/21/2001, Keith Moore wrote:
> > >NAT is an architecturally bankrupt strategy - the more you try to fix
> > >it, the more complex the architecture becomes, the harder it becomes to
> > >write and configure applications, and the the more brittle the network
> > >becomes.  There is no way to fix the problems created by NAT without
> > >a global name space for points in the network topology, and this is
> > >the thing that NAT fundamentally destroys.
> >
> > I agree with that, but see no other alternative (other than waiting for
> > IPv6) than improving communication through NAT piece by piece.
>
>The best way to improve communication through NAT is for the NAT
>boxes to support IPv6 routing and 6to4.

The IETF has done it's job with 6to4, but like you said we can't force 
people to deploy it. But let's stop and think about 6to4. Aren't some of 
the same "tricks" or ALG's that are planned to make applications work with 
IPv4 NAT, applicable to 6to4? If so, then we must find solutions now since 
6to4 could be with us for many years.

Re: Number of Firewall/NAT Users

[Keith Moore]

> >By all means, let's deal with NAT.  Let's find better solutions to the
> >problems that NAT purports to solve - solutions that don't create the
> >plethora of additional problems that inherently come with NATs.
> 
> The only true solution is to not use NAT. Yet it is still being heavily
> deployed.

Understood.  But we in IETF can't do anything about what people are
deploying now.  We can however start trying to work on things 
that can get deployed two years from now.

And while it should be clear that the future of IPv4 is irrevocably
tied to NAT, the future of the Internet is not limited to IPv4.

> >NAT is an architecturally bankrupt strategy - the more you try to fix
> >it, the more complex the architecture becomes, the harder it becomes to
> >write and configure applications, and the the more brittle the network
> >becomes.  There is no way to fix the problems created by NAT without
> >a global name space for points in the network topology, and this is
> >the thing that NAT fundamentally destroys.
> 
> I agree with that, but see no other alternative (other than waiting for
> IPv6) than improving communication through NAT piece by piece.

The best way to improve communication through NAT is for the NAT
boxes to support IPv6 routing and 6to4.

> >  > Work in this area is starting in the new MIDCOM working group. But some
> > > people are still worried about being politically correct with respect to
> > > denying the perceived legitimacy of NAT.
> >
> >That's not political correctness, it's sound engineering.
> 
> Academia and closed groups have the luxury of sticking to sound
> engineering. The rest of the world is much more complex and we have to deal
> with the ugliness of a varied topology Internet.

I agree that the market will demand more short-term fixes. But I don't 
think we in the IETF have the luxury of abandoning sound engineering - 
at least, not if we want the Internet to continue to support diverse 
applications.  Indeed, the vendors can come up with short-term fixes 
by themselves, but it takes discussion between many different kinds
of parties, and a balance of short-term and long-term goals, 
(and hence a forum like IETF) to move things in a sane direction.

This is why I think that IETF should concentrate its energies toward
developing a viable path out of the NAT-hole rather than trying to 
dig that hole even deeper.

Keith

Re: Number of Firewall/NAT Users

[Daniel Senie]

[EMAIL PROTECTED] wrote:

> Let's stamp out NAT, *now* - before it becomes too entrenched and we can
> never get rid of it.  We don't need that sort of "worked" again.

Ummm, it's FAR too late for that. As for numbers of users, it's my guess
a large percentage of the cable modem users and DSL users are running
NAPT boxes. Given Linksys offering such appliaces at around $100, that
competes well with software-based mechanisms, and is a lot simpler for
the end user to deal with.

At the higher end, a company is offering a NAT box which permits
multi-homing without BGP. Quite useful for many large companies. In
between, there are a great many companies using firewalls with NATs.
Asking some of the ISPs for enough addresses for a company's needs for
the next 12 months gets a response of "why don't you use NAT?".

To stamp out NAT, you need to find a way to get ARIN and the ISPs to
give out appropriate quantities of IP addresses.

A better plan for those who are developing applications is to think of
ways to minimize or eliminate the impact of NAT on those applications.
While it's certainly a nice thing to SAY we'd like to be able to live in
a world without NAT and be able to develop applications which are
unencumbered by that problem, the marketplace has rolled on by and
delivered on the customers' needs.

If IPv6 had been ready 4 years ago, we might have seen a major part of
the Internet growth spurt occur on it, and the reliance on NAT be less.
Given the policies in place, and the state of the usable technology, NAT
is quite firmly ensconced. The battle you propose ("stamp out NAT") has
already been lost. This doesn't mean I'm any happier than anyone else
about the pervasiveness of NAT, just that I've accepted we have no
choice but to deliver solutions as best we can, taking NAT into account.

-- 
-
Daniel Senie[EMAIL PROTECTED]
Amaranth Networks Inc.http://www.amaranth.com

Re: Number of Firewall/NAT Users

[Matt Holdrege]

At 11:53 PM 1/20/2001, Keith Moore wrote:
> > But complaining about NAT is not a new fad and usage of NAT hasn't been
> > stemmed the tiniest bit. We can't keep burying our heads in the sand and
> > trying to deny new work on dealing with NAT. It's here, it isn't going away
> > and we have to find solutions for applications that need to deal with NAT.
>
>By all means, let's deal with NAT.  Let's find better solutions to the
>problems that NAT purports to solve - solutions that don't create the
>plethora of additional problems that inherently come with NATs.

The only true solution is to not use NAT. Yet it is still being heavily 
deployed.

>NAT is an architecturally bankrupt strategy - the more you try to fix
>it, the more complex the architecture becomes, the harder it becomes to
>write and configure applications, and the the more brittle the network
>becomes.  There is no way to fix the problems created by NAT without
>a global name space for points in the network topology, and this is
>the thing that NAT fundamentally destroys.

I agree with that, but see no other alternative (other than waiting for 
IPv6) than improving communication through NAT piece by piece.

>  > Work in this area is starting in the new MIDCOM working group. But some
> > people are still worried about being politically correct with respect to
> > denying the perceived legitimacy of NAT.
>
>That's not political correctness, it's sound engineering.

Academia and closed groups have the luxury of sticking to sound 
engineering. The rest of the world is much more complex and we have to deal 
with the ugliness of a varied topology Internet.

Re: Number of Firewall/NAT Users

[Joel Jaeggli]

you might check out the rather sprited discussion during the plenary at
ietf49...

the official proceeding will be up shortly on the ietf website, video of
the event is at:

http://videolab.uoregon.edu/events/ietf/ietf49.html

joelja

On Sat, 20 Jan 2001, Jiri Kuthan wrote:

> Hello,
>
> is anyone aware of any estimations of fraction of Internet users
> who are behind firewalls and NATs?
>
> Thanks,
>
> Jiri
>

-- 
--
Joel Jaeggli   [EMAIL PROTECTED]
Academic User Services   [EMAIL PROTECTED]
 PGP Key Fingerprint: 1DE9 8FCA 51FB 4195 B42A 9C32 A30D 121E
--
It is clear that the arm of criticism cannot replace the criticism of
arms.  Karl Marx -- Introduction to the critique of Hegel's Philosophy of
the right, 1843.

Re: Number of Firewall/NAT Users

[Valdis . Kletnieks]

On Sun, 21 Jan 2001 02:22:43 EST, Keith Moore said:
> it is desirable that it be such a network.  I remember when the email 
> network was a heterogeneous network consisting of UUCP, BITNET, DECnet, 
> SMTP, X.400, and a few other things thrown in.  It "worked", sort of, 
> but we had all kinds of problems with the translations at the boundaries,

Gee thanks Keith... you bring back painful memories of running one of
the bitnet-internet gates. :)

Every few weeks, I'm *still* seeing things sniffing around for our Bitnet
gateway.  The interesting part is that the gateway (vtbit.cc.vt.edu) isn't
in the DNS anymore, hasn't been for close to 18 months, and I only *see*
these screw-ups if they manage to find the machine that *used* to be the
*unpublizised* MX front-end for the gateway.  

Let's stamp out NAT, *now* - before it becomes too entrenched and we can
never get rid of it.  We don't need that sort of "worked" again.

Valdis Kletnieks
Operating Systems Analyst
Virginia Tech

Re: Number of Firewall/NAT Users

[Keith Moore]

> But complaining about NAT is not a new fad and usage of NAT hasn't been
> stemmed the tiniest bit. We can't keep burying our heads in the sand and
> trying to deny new work on dealing with NAT. It's here, it isn't going away
> and we have to find solutions for applications that need to deal with NAT.

By all means, let's deal with NAT.  Let's find better solutions to the
problems that NAT purports to solve - solutions that don't create the
plethora of additional problems that inherently come with NATs.   

By all means, let's stop burying our heads in the sand.  Let's stop 
pretending that we can solve these problems by further embellishing NATs,
or that the only way forward is to keep adding warts to NATs.

NAT is an architecturally bankrupt strategy - the more you try to fix 
it, the more complex the architecture becomes, the harder it becomes to 
write and configure applications, and the the more brittle the network 
becomes.  There is no way to fix the problems created by NAT without 
a global name space for points in the network topology, and this is 
the thing that NAT fundamentally destroys.
 
> Work in this area is starting in the new MIDCOM working group. But some
> people are still worried about being politically correct with respect to
> denying the perceived legitimacy of NAT. 

That's not political correctness, it's sound engineering. 

Keith

Re: Number of Firewall/NAT Users

[Keith Moore]

> simply put and well stated..but I do suspect that the current NAT problem
> can be solved by the proper deployment of applications that MUST have
> routeable addresses.

no, it's the other way around.  the existence of NATs is keeping those
applications from being widely deployed.

Keith

Re: Number of Firewall/NAT Users

[Bill Manning]

Not the best estimate but looking at the number of unique
addresses that hit&fail the public nameservers for RFC 1918 
space does show some interesting trends. A snapshot was presented
at NANOG some few meetings back.  I've got the data for the last few
years.

--bill

Re: Number of Firewall/NAT Users

[Keith Moore]

> Technically, a NAT box  is used to interconnect two (or more) independent
> networks so that hosts in the networks can communicate with one another
> *without any change* to the respective networks, 

except that in reality this is completely false. 

- the two networks can only "communicate" in a crippled sense
  (in that the joined network only supports a subset of the applications
  supported by either of the original networks)

- in a great many cases, the networks *do* end up being changed -
  at least in the sense that more components need to be added and
  more special configuration done just to keep the network running.
  the network also becomes more fragile.

> This is benefitial not only to provide Internet routing to
> near unlimited addresses in private networks but also for address hidding,
> privacy and flexibility.

The oft-touted privacy benefits of NATs are largely an illusion.  Sometimes
you want to hide an address for the sake of privacy, sometimes you want
a stable address so that you can be reached.  The needs will differ between 
applications on a single host.  NATs hinder, rather than help, your ability 
to give each application what it needs.

> So, maybe this is what the market really wants -- a multiple-protocol 
> Internet where tools such as NAT boxes for firewalling, privacy, 
> address extension and IPv4/IPv6 interoperation will be needed ... 
> and valued.  

The market doesn't necessarily want NATs per se, but it does want some 
of the things that NATs either bring or purport to bring.  for example:

- the ability to add networks (not just hosts) at arbitrary points
  in the Internet, without getting permission from upstream to do so.
- the ability to easily renumber networks
- the ability to connect a small network to the Internet without 
  having to explicitly configure it  (plug-and-ping)
- limits to the ability to associate a source address with a particular
  user or host.

> the
> Internet does not have to be a homogenous network, it can be a heteregenous
> network with IPv4/NAT/IPv6. 

certainly the Internet *can* be such a network; that does not mean that
it is desirable that it be such a network.  I remember when the email 
network was a heterogeneous network consisting of UUCP, BITNET, DECnet, 
SMTP, X.400, and a few other things thrown in.  It "worked", sort of, 
but we had all kinds of problems with the translations at the boundaries,
with addresses from one network leaking past the gateways into another
network, with addresses being "translated" in such a way that they
were no longer usable in the destination network.  NATs create the same
set of problems for the whole Internet that we used to just have for
email.  Fortunately, the vast majority of email users came to their 
senses and settled on Internet protocols and the Internet email address
format.   I can only hope that NAT users will also come to their senses.

> Since a heterogeneous network can use local
> solutions for local problems, I believe Internet users will continue to 
> prefer local flexibility.

if that's really the case, they'll get rid of NATs as soon as alternative
means of solving the problems that NATs were meant to address become 
available.  our task is to come up with those alternatives.

Keith

Re: Number of Firewall/NAT Users

[Henning Schulzrinne]

There are two somewhat separable issues:

- Unless you only want to make outbound calls, SIP user agents have to
be "servers" as well as "clients". Without per-application hacks, NATs
don't work with inbound connections, so SIP gets bitten by that. (There
are kludges around that, such as a permanent connection to an
outside-the-NAT box that serves as the point of contact.) This is an
example of the general problem of the NAT worldview that users behind
NATs only run clients.

- Real-time media applications use UDP, but without being a
request-response protocol. Without an ALG, NATs don't work here. (One
should be somewhat careful to distinguish streaming and real-time media
applications, as their requirements and protocol useage differ.)

[EMAIL PROTECTED] wrote:
> 
> On Sat, 20 Jan 2001 21:32:35 EST, Richard Shockey said:
> > The Net as we know is has always been application driven. SMTP, HTTP, FTP
> > etc. These applications can transverse NAT's but real forms of streaming
> > media cannot.
> 
> OK.. I'll admit that streaming stuff isn't my strong point, and I'm down with
> the flu to boot, so my clue level is pretty low here.. but...
> 
> Is it SIP that cannot work across a NAT, or is there a generic reason that
> *no* streaming-media protocol can work across a NAT?
> 
> Valdis Kletnieks
> Operating Systems Analyst
> Virginia Tech
> 
> -
> This message was passed through [EMAIL PROTECTED], which
> is a sublist of [EMAIL PROTECTED] Not all messages are passed.
> Decisions on what to pass are made solely by Harald Alvestrand.

Re: Number of Firewall/NAT Users

[Valdis . Kletnieks]

On Sat, 20 Jan 2001 21:32:35 EST, Richard Shockey said:
> The Net as we know is has always been application driven. SMTP, HTTP, FTP 
> etc. These applications can transverse NAT's but real forms of streaming 
> media cannot.

OK.. I'll admit that streaming stuff isn't my strong point, and I'm down with
the flu to boot, so my clue level is pretty low here.. but...

Is it SIP that cannot work across a NAT, or is there a generic reason that
*no* streaming-media protocol can work across a NAT?

Valdis Kletnieks
Operating Systems Analyst
Virginia Tech

RE: Number of Firewall/NAT Users

[Richard Shockey]

At 05:16 PM 1/20/2001 -0500, vint cerf wrote:
>a nightmare it seems to me

simply put and well stated..but I do suspect that the current NAT problem 
can be solved by the proper deployment of applications that MUST have 
routeable addresses. SIP being a case in point. The promise of SIP is a 
global end to end realtime messaging media ( text, voice , video ) as a 
complement to the store and forward Universal Messaging media based on SMTP 
( text, voice, fax) we have now.

If the application is powerful enough end users will force their networks 
to adapt accordingly.

The Net as we know is has always been application driven. SMTP, HTTP, FTP 
etc. These applications can transverse NAT's but real forms of streaming 
media cannot.

If we build the right applications that the market wants.. the networks 
will adapt to the needs of the applicationsnot the other way around.

>v
>
>At 02:39 PM 1/20/2001 -0800, Bernard D. Aboba wrote:
> >What is worth thinking about is what this will imply for the future
> >internet architecture. It is one thing to address issues brought up by a
> >single well functioning NAT within the same administrative domain. It is
> >another thing to deal with multiple layers of perhaps not so well
> >implemented NATs which may not even support tunneling of IPv6.
> >And that is where we appear to be headed over the next few years.


 
Richard Shockey, Senior Technical Industry Liaison
NeuStar Inc.
1120 Vermont Avenue N.W., Suite 550, Washington DC. 20005
Voice: 202.533.2811,  Cell : 314.503.0640,  Fax: 815.333.1237
 or


<

Re: Number of Firewall/NAT Users

[Matt Holdrege]

At 02:38 PM 1/20/2001, Jim McMurry wrote:
>Then it seems we will have to create an ever expanding bandwidth to support
>all the overhead associated with NAT and these multiple layers.

The overhead comes in the form of complexity rather than bandwidth.

But complaining about NAT is not a new fad and usage of NAT hasn't been 
stemmed the tiniest bit. We can't keep burying our heads in the sand and 
trying to deny new work on dealing with NAT. It's here, it isn't going away 
and we have to find solutions for applications that need to deal with NAT.

Work in this area is starting in the new MIDCOM working group. But some 
people are still worried about being politically correct with respect to 
denying the perceived legitimacy of NAT. I think we need to go full force 
in finding solutions in an open standards group rather than having a closed 
group solve the problem in an inelegant fashion.

Re: Number of Firewall/NAT Users

[Keith Moore]

> Then it seems we will have to create an ever expanding bandwidth to support
> all the overhead associated with NAT and these multiple layers.

bandwidth consumption is the least of the problems. 

actually NATs probably conserve bandwidth because they prevent many kinds
of new applications from being deployed.

Keith

Re: Number of Firewall/NAT Users

[Ed Gerck]

"Bernard D. Aboba" wrote:

> And of course, as the address space continues to run out it is likely
> that enterprise and perhaps even ISP NAT deployment will increase
> substantially over the next few years.
>
> What is worth thinking about is what this will imply for the future
> internet architecture. It is one thing to address issues brought up by a
> single well functioning NAT within the same administrative domain. It is
> another thing to deal with multiple layers of perhaps not so well
> implemented NATs which may not even support tunneling of IPv6.
> And that is where we appear to be headed over the next few years.

More than an year ago I commented here that  NATs can help IPv6
interoperate... so, they are by definition, useful.   I also suggested we
don't yet  have a "NAT model", in engineering sense, where a model
fits in a larger model and so on. All we have is a "NAT hack", but this
does not mean that NATs are hacks (though they sort of rhyme).

Technically, a NAT box  is used to interconnect two (or more) independent
networks so that hosts in the networks can communicate with one another
*without any change* to the respective networks, usually by means of a
programmable device that performs automatic address translation in
transmission and/or address and name translation in reception for each
formatted message.  This is benefitial not only to provide Internet routing to
near unlimited addresses in private networks but also for address hidding,
privacy and flexibility.

So, maybe this is what the market really wants -- a multiple-protocol Internet,
where tools such as NAT boxes for firewalling, privacy, address extension and
IPv4/IPv6 interoperation will be needed ... and valued.  The lesson is that the
Internet does not have to be a homogenous network, it can be a heteregenous
network with IPv4/NAT/IPv6. Since a heterogeneous network can use local
solutions for local problems, I believe Internet users will continue to prefer
local flexibility.

Comments?

Cheers,

Ed Gerck

Re: Number of Firewall/NAT Users

[J. Noel Chiappa]

> From: "Jim McMurry" <[EMAIL PROTECTED]>

> Then it seems we will have to create an ever expanding bandwidth to
> support all the overhead associated with NAT and these multiple layers.
> If not we could wind up with OC-192's that feel like 56k modems :(

I'm kind of confused. Perhaps you can enlighten me.

Exactly how does use of NAT use bandwidth? The packets are the same size, no?
I can't see how NAT has any effect on the effective throughput of the links
(which is the element you seem to be alluding to with your reference to
OC-192's).

It is true that a NAT box is a somewhat more complex switching device, but
depending on a large number of factors, including exactly which protocols it
supports, and how, along with the implementation technology used (people seem
to be happy to throw 100K's of transistors at switching boxes these days),
NAT may or may not have any effect on the throughput of the box.

Which is not to say I'm happy about the concept of nested NAT boxes, but let's
keep our analysis grounded in reality, eh?

Noel

Re: Number of Firewall/NAT Users

[Jim McMurry]

Then it seems we will have to create an ever expanding bandwidth to support
all the overhead associated with NAT and these multiple layers.

If not we could wind up with OC-192's that feel like 56k modems :(


Jim McMurry


- Original Message -
From: "vint cerf" <[EMAIL PROTECTED]>
To: "Bernard D. Aboba" <[EMAIL PROTECTED]>
Cc: "Jiri Kuthan" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Saturday, January 20, 2001 2:16 PM
Subject: RE: Number of Firewall/NAT Users


> a nightmare it seems to me
>
> v
>
> At 02:39 PM 1/20/2001 -0800, Bernard D. Aboba wrote:
> >What is worth thinking about is what this will imply for the future
> >internet architecture. It is one thing to address issues brought up by a
> >single well functioning NAT within the same administrative domain. It is
> >another thing to deal with multiple layers of perhaps not so well
> >implemented NATs which may not even support tunneling of IPv6.
> >And that is where we appear to be headed over the next few years.
>

RE: Number of Firewall/NAT Users

[vint cerf]

a nightmare it seems to me

v

At 02:39 PM 1/20/2001 -0800, Bernard D. Aboba wrote:
>What is worth thinking about is what this will imply for the future 
>internet architecture. It is one thing to address issues brought up by a 
>single well functioning NAT within the same administrative domain. It is 
>another thing to deal with multiple layers of perhaps not so well 
>implemented NATs which may not even support tunneling of IPv6. 
>And that is where we appear to be headed over the next few years. 

RE: Number of Firewall/NAT Users

[Bernard D. Aboba]

> what about business users, bernard?
> 
> vint
> 

My understanding is that the fraction of enterprises deploying NAT is 
much larger than in consumer households. Almost all commercial firewall 
products now support NAT. In comparison, fewer firewall products support 
competing approaches (such as SOCKS, or RSIP). 

And of course, as the address space continues to run out it is likely 
that enterprise and perhaps even ISP NAT deployment will increase 
substantially over the next few years. 

What is worth thinking about is what this will imply for the future 
internet architecture. It is one thing to address issues brought up by a 
single well functioning NAT within the same administrative domain. It is 
another thing to deal with multiple layers of perhaps not so well 
implemented NATs which may not even support tunneling of IPv6. 
And that is where we appear to be headed over the next few years. 

RE: Number of Firewall/NAT Users

[vint cerf]

what about business users, bernard?

vint

At 06:47 AM 1/20/2001 -0800, Bernard Aboba wrote:
>The fraction of consumer users behind NATs is largely
>limited by the number of multiple PC households. As
>of 2000, my understanding is that 27 percent of
>households have multiple PCs. Of those households
>with multiple PCs, only a fraction are networked. 
>
>This would indicate that perhaps less than 10 percent
>of all consumer households are behind a NAT today. This
>may translate to a larger fraction of consumer
>PCs because multiple PC households have
>more PCs (duh). 
>
>Over the next few years, it is likely that the
>NAT penetration will increase dramatically, 
>driven by increases in the number of multiple
>device households (not just PCs), as well as
>deployment of broadband technologies such
>as ADSL modems, which frequently ship with 
>NAT capabilities.  
>
>-Original Message-
>From: Jiri Kuthan [mailto:[EMAIL PROTECTED]]
>Sent: Friday, January 19, 2001 10:59 PM
>To: [EMAIL PROTECTED]
>Subject: Number of Firewall/NAT Users
>
>
>Hello,
>
>is anyone aware of any estimations of fraction of Internet users
>who are behind firewalls and NATs?
>
>Thanks,
>
>Jiri
>
>-
>This message was passed through [EMAIL PROTECTED], which
>is a sublist of [EMAIL PROTECTED] Not all messages are passed.
>Decisions on what to pass are made solely by Harald Alvestrand.

RE: Number of Firewall/NAT Users

[Bernard Aboba]

The fraction of consumer users behind NATs is largely
limited by the number of multiple PC households. As
of 2000, my understanding is that 27 percent of
households have multiple PCs. Of those households
with multiple PCs, only a fraction are networked. 

This would indicate that perhaps less than 10 percent
of all consumer households are behind a NAT today. This
may translate to a larger fraction of consumer
PCs because multiple PC households have
more PCs (duh). 

Over the next few years, it is likely that the
NAT penetration will increase dramatically, 
driven by increases in the number of multiple
device households (not just PCs), as well as
deployment of broadband technologies such
as ADSL modems, which frequently ship with 
NAT capabilities.  

-Original Message-
From: Jiri Kuthan [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 19, 2001 10:59 PM
To: [EMAIL PROTECTED]
Subject: Number of Firewall/NAT Users


Hello,

is anyone aware of any estimations of fraction of Internet users
who are behind firewalls and NATs?

Thanks,

Jiri

-
This message was passed through [EMAIL PROTECTED], which
is a sublist of [EMAIL PROTECTED] Not all messages are passed.
Decisions on what to pass are made solely by Harald Alvestrand.

Number of Firewall/NAT Users

[Jiri Kuthan]

Hello,

is anyone aware of any estimations of fraction of Internet users
who are behind firewalls and NATs?

Thanks,

Jiri