Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
On Thu, 29 Apr 2010 08:22:47 -0700 Bill Stewart nonobvi...@gmail.com wrote: On Tue, Apr 27, 2010 at 3:24 PM, Owen DeLong o...@delong.com wrote: Here's an exercise. Wipe a PC. Put it on that cable modem with no firewall. Install XP on it. See if you can get any service packs installed before the box is infected. 1. Yes, I can. I simply didn't put an IPv4 address on it. ;-) 2. I wouldn't hold XP up as the gold standard of hosts here. One of my coworkers was IPv6ing his home network. He had to turn off the Windows firewall on the machine with the IPv6 tunnel for a couple of minutes to install some stubborn software. Then he had to reimage the box because it was pwned, and he's pretty sure that the infection came in over the IPv6 tunnel, not the hardware-firewalled IPv4. Your friend should learn about causation verses correlation http://en.wikipedia.org/wiki/Correlation_does_not_imply_causation Every noticed how people who have car accidents got out of bed that morning? -- Thanks; Bill Note that this isn't my regular email account - It's still experimental so far. And Google probably logs and indexes everything you send it.
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
Paul, On Apr 29, 2010, at 8:29 AM, Paul Timmins wrote: If you change ISPs, send out an RA with the new addresses, wait a bit, then send out an RA with lifetime 0 on the old address. Even if this works (and I know a lot of applications that use the socket() API that effectively cache the address returned by DNS for the lifetime of the application), how does this help situations where IPv6 address literals are specified in configuration files, e.g., resolv.conf, glue for authoritative DNS servers, firewalls/filters, network management systems, etc.? See sections 5 and 7 of http://www.rfc-editor.org/internet-drafts/draft-carpenter-renum-needs-work-05.txt The point here is that if there is a non-zero cost associated with renumbering, there will be non-zero incentive to deploy technologies such as NATv6 to reduce that cost. Some folks have made the argument that for sites large enough for the cost of renumbering to be significant, they should be able to justify provider independent space and be willing to accept the administrative and financial cost. While this may be the case (I have some doubts that many of the folks using PA space now will be all that interested in dealing with the RIR system, but I may be biased), it does raise concerns about routing system growth and forces ISPs to be willing to accept long IPv6 prefixes from end users (which some ISPs have already said they won't do). Regards, -drc
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
On Apr 30, 2010, at 6:26 PM, David Conrad wrote: Paul, On Apr 29, 2010, at 8:29 AM, Paul Timmins wrote: If you change ISPs, send out an RA with the new addresses, wait a bit, then send out an RA with lifetime 0 on the old address. Even if this works (and I know a lot of applications that use the socket() API that effectively cache the address returned by DNS for the lifetime of the application), how does this help situations where IPv6 address literals are specified in configuration files, e.g., resolv.conf, glue for authoritative DNS servers, firewalls/filters, network management systems, etc.? See sections 5 and 7 of http://www.rfc-editor.org/internet-drafts/draft-carpenter-renum-needs-work-05.txt Ideally, in the vast majority of cases, resolv.conf is populated by dhcpv6 or it's successor. It is actually possible (although I agree questionable practice) to have your NS glue records updated dynamically. Firewalls and NMS can usually be done by copying the existing rulesets and doing a global SR on the affected prefix. It's not like a v4 renumbering. You'll still be dealing with a 1:1 replacement of the prefix and the suffixes don't need to change. IPv6 also has the convenient concept of preferred and valid lifetimes on addresses facilitating a convenient overlap period while both prefixes still work, but, new flows should be universally originated from the specified prefix. This makes it easier to identify hosts in need of manual intervention by monitoring for traffic sourced from the incorrect prefix. The point here is that if there is a non-zero cost associated with renumbering, there will be non-zero incentive to deploy technologies such as NATv6 to reduce that cost. Some folks have made the argument that for sites large enough for the cost of renumbering to be significant, they should be able to justify provider independent space and be willing to accept the administrative and financial cost. While this may be the case (I have some doubts that many of the folks using PA space now will be all that interested in dealing with the RIR system, but I may be biased), it does raise concerns about routing system growth and forces ISPs to be willing to accept long IPv6 prefixes from end users (which some ISPs have already said they won't do). There is a non-zero cost associated with renumbering. However, it is much closer to zero than in IPv4. There is also a non-zero cost to NAT. Unfortunately, the costs of NAT are more on the toxic polluter basis, where you must pay your own tab for renumbering. As such, NAT in IPv6 will probably be as popular as SPAM is in IPv4, to about the same level of detriment. Owen
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
David Conrad wrote: Paul, On Apr 29, 2010, at 8:29 AM, Paul Timmins wrote: If you change ISPs, send out an RA with the new addresses, wait a bit, then send out an RA with lifetime 0 on the old address. Even if this works (and I know a lot of applications that use the socket() API that effectively cache the address returned by DNS for the lifetime of the application), how does this help situations where IPv6 address literals are specified in configuration files, e.g., resolv.conf, glue for authoritative DNS servers, firewalls/filters, network management systems, etc.? See sections 5 and 7 of http://www.rfc-editor.org/internet-drafts/draft-carpenter-renum-needs-work-05.txt The point here is that if there is a non-zero cost associated with renumbering, there will be non-zero incentive to deploy technologies such as NATv6 to reduce that cost. Some folks have made the argument that for sites large enough for the cost of renumbering to be significant, they should be able to justify provider independent space and be willing to accept the administrative and financial cost. While this may be the case (I have some doubts that many of the folks using PA space now will be all that interested in dealing with the RIR system, but I may be biased), it does raise concerns about routing system growth and forces ISPs to be willing to accept long IPv6 prefixes from end users (which some ISPs have already said they won't do). Put your recursors, network management systems, fileservers, etc on ULA addresses like I was talking about earlier. Then you don't have to renumber those. So the only change you should have to make is a firewall change. Imagine a world with RFC-1918 and public ip space safely overlayed. For anything you hardcode somewhere, unless it has to be publically reachable, use ULA addresses and don't ever change them. You could even choose to not have public IP space on your servers by removing autoconf, though you could have public space on them so they can apply updates, and simply block any inbound access to those statefully with a firewall to prevent any outside risk. -Paul
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
Owen, On Apr 30, 2010, at 7:04 PM, Owen DeLong wrote: Ideally, in the vast majority of cases, resolv.conf is populated by dhcpv6 or it's successor. :-). I haven't been following the religious war against DHCPv6 -- is it now acceptable to get DNS information via DHCPv6? I note that MacOSX still doesn't appear to support DHCPv6. Does Win7? IPv6 also has the convenient concept of preferred and valid lifetimes on addresses facilitating a convenient overlap period while both prefixes still work, but, new flows should be universally originated from the specified prefix. I'm aware of this. It would be interesting to see how many applications actually take advantage of this (rant about the socket API model deleted). There is a non-zero cost associated with renumbering. However, it is much closer to zero than in IPv4. I agree that it can or at least has the promise to be. There is also a non-zero cost to NAT. Yes. Unfortunately, the costs of NAT are more on the toxic polluter basis, where you must pay your own tab for renumbering. End users must pay the cost of renumbering in both cases. With NAT, renumbering is done on the NAT box. Without NAT, renumbering must be done within the entire network. NAT can have an additional initial capital cost (although most CPE support NATv4 at no additional cost) and can have a potentially non-obvious additional opex cost associated with debugging network problems, application support, etc. In the end, it would be nice if it was a simple business decision. In reality, I suspect most folks getting IPv6 prefixes from their ISP will follow the same model they use with IPv4 because that's what they know and it works for them. Hopefully, we'll see. Regards, -drc
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
On Thu, 29 Apr 2010 10:33:02 +1000 Mark Andrews ma...@isc.org wrote: In message a3f2ff6f-afe3-4ed1-ad33-5b6277249...@virtualized.org, David Conrad writes: Mark, On Apr 28, 2010, at 3:07 PM, Mark Andrews wrote: Perhaps the ability to change service providers without having to = renumber? =20 We have that ability already. Doesn't require NAT. Cool! You've figured out, e.g., how to renumber authoritative name = servers that you don't have direct control over! Don't do that. It was a deliberate design decision to use names rather than IP addesses in NS records. This allows the operators of the nameservers to change their addresses when they need to. B.T.W. we have the technology to automatically update delegations if we need to and have for the last 10 years. People just need to stop being scared about doing it. And modify filter = lists on a firewalls across an enterprise network! And remotely update = provisioning systems and license managers without interrupting services! = Etc., etc. http://www.rfc-editor.org/internet-drafts/draft-carpenter-renum-needs-work= -05.txt A tiny home office network managed by a highly technical individual with = full control over all aspects of the network is not a good model on = which to base the definition of we. Regards, -drc Well if you insist on using IP addresses rather than real crypto for access control. I suppose it'll protect us when Skynet emerges. I think the current security threat is the people behind the machines, not the machines themselves and their IP addresses. Regards, Mark.
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
On Wed, 28 Apr 2010 17:04:25 -0500 Dave Pooser dave.na...@alfordmedia.com wrote: IPv6's fundamental goal is to restore end-to-end. For some. For many, IPv6's fundamental goal is to keep doing what we've been doing without running out of addresses. The fact that the two camps have orthogonal goals is probably part of the reason the rate of growth on IPv6 is so slow. Well they should realise that end-to-end is what made the Internet the success in the first place. On the Original Internet, when you had an IP address, one moment you could be a client, another you could be a server, or another you could be a peer - or you could be any or all three roles at the same time. What role you wanted to play was completely and absolutely up to you - no third parties to ask permission of, no router upgrades involved. You just started the (client/server/peer-to-peer) software, and off you went. The applications exist at the edge of the Internet - in the software operating on the end-nodes. The Internet itself is supposed to be a dumb, best effort packet transport between the edges - nothing more. That is why the Original Internet was good at running any application you threw at it, including new ones - because it never cared what those applications were. It just tried to do it's job of getting packets from edge sources to edge destinations, regardless of what was in them.
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
On Tue, Apr 27, 2010 at 3:24 PM, Owen DeLong o...@delong.com wrote: Here's an exercise. Wipe a PC. Put it on that cable modem with no firewall. Install XP on it. See if you can get any service packs installed before the box is infected. 1. Yes, I can. I simply didn't put an IPv4 address on it. ;-) 2. I wouldn't hold XP up as the gold standard of hosts here. One of my coworkers was IPv6ing his home network. He had to turn off the Windows firewall on the machine with the IPv6 tunnel for a couple of minutes to install some stubborn software. Then he had to reimage the box because it was pwned, and he's pretty sure that the infection came in over the IPv6 tunnel, not the hardware-firewalled IPv4. -- Thanks; Bill Note that this isn't my regular email account - It's still experimental so far. And Google probably logs and indexes everything you send it.
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
David Conrad wrote: On Apr 28, 2010, at 2:38 PM, Carl Rosevear wrote: I don't understand why anyone thinks NAT should be a fundamental part of the v6 internet Perhaps the ability to change service providers without having to renumber? Number your internal network on ULA, and put public addresses on your machines as well. RFC3484 support in your OS will cause your machine to use ULA to talk to other ULA interfaces, and the public IP to the rest of the internet. If you change ISPs, send out an RA with the new addresses, wait a bit, then send out an RA with lifetime 0 on the old address. All the machines should drop their old ISP's IP, and start using the new ISP, as well as continue using ULA like nothing's changed for the internal file sharing/printing/whatever
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
On 2010.04.28 00:04, Josh Hoppes wrote: I'll preface this that I'm more of an end user then a network administrator, but I do feel I have a good enough understanding of the protocols and network administration to submit my two cents. You are always welcome to do so. The issue I see with this level of NAT, is the fact that I don't expect that UPNP be implemented at that level. I would see UPNP as being a security risk and prone to denial of service attacks when you have torrent clients attempting to grab every available port. Now that's going to create problems with services like Xbox Live which require UPNP to fully function since at least on one persons connection so they can host the game. Josh, fwiw, Not trying to hijack this thread, but please go put this over on the ARIN-discuss list. You can subscribe here: http://lists.arin.net/mailman/listinfo/arin-discuss Gaming vendors is a major outreach consideration from what I gathered from around the ARIN meeting, and it would be fantastic if you could take that discussion over there for them (and others) to see... Steve
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
On Wed, 2010-04-28 at 02:13 -0400, Steve Bertrand wrote: I would see UPNP as being a security risk and prone to denial of service attacks when you have torrent clients attempting to grab every +1 apologies if I've said this here before - UPNP = unstoppable Peek and Poke Gord
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
On Tue, 27 Apr 2010 14:29:50 -0400 Dave Israel da...@otd.com wrote: On 4/27/2010 1:36 PM, Andy Davidson wrote: On Tue, Apr 20, 2010 at 11:29:59AM -0400, John R. Levine wrote: Did you use Yahoo IM, AIM, or Skype? Yes, yes, and yes. Works fine. What about every other service/protocol that users use today, and might be invented tomorrow ? Do will they all work with NAT ? Sure, I can invent a service/protocol that doesn't work with NAT. While I am at it, I'll make it not work with IPv4, IPv6, Ethernet, an architectures using less than 256 bits of memory addressing. I bet it'll be popular! One already exists. It's called DCCP, or Datagram Congestion Control Protocol - it's like UDP with congestion management. It'd be great to use for Video and Voip, which could then vary the codec parameters to suit congestion should it occur. Shame NAT has stopped it being widely deployed. SCTP could be used to perform peer to peer IM and file transfers, where the file transfer takes place within the existing SCTP connection, rather than having to establish a separate connection. Shame NAT has stopped it being widely deployed. Do many others work as well or act reliably through NAT ? Yes, nearly everything that end users use works great through NAT, because end users are often behind NAT and for a service to be popular, it has to be NAT-friendly. Protocols that are not NAT friendly and yet survive are generally LAN applications that are resting on their NAT-unferiendliness and calling it security. Will it stop or hamper the innovation of new services on the internet ? Nope. The answer to these questions isn't a good one for users, so as the community that are best placed to defend service quality and innovation by preserving the end to end principal, it is our responsibility to defend it to the best of our ability. The end to end principle only helps service quality and innovation when the services are built on an end to end model. In a client-server world where addresses only identify groups of endpoints and individual identification is done at higher layers (which is what the ipv4+NAT Internet is looking like), end to endness is an anomaly, not the norm. So get busy - v6 awareness, availability and abundancy are overdue for our end users. Nearly all of the end users don't give a rat's hindquarters about ipv6. It gives them nothing they know that they want. Meanwhile, those who do know they want it are getting used to working around it, using PAT tricks and STUN services. Should people *have* to use those services? No. But there's so many other things that we shouldn't have to do, but we do anyway because that's how it works, that these NAT-circumvention tricks are not a dealbreaker. Meanwhile, the NATification of the Internet continuously increases the contrast between services (with real addresses) and clients (with shared addresses). Over time, this differentiation will increase and become more and more a standard (a de facto one if not an actual codified one.) Clients will have shared, ephemeral addresses, and services will have stable ones. This helps ensure that clients cannot generally communicate without a facilitating service, and every transaction will then have a middleman, somebody you have to pay somehow to get your services. You may pay in cash, by watching commercials, by sacrificing personal information, or by submitting your communciations to analysis by others, but somehow, you will pay. The vast majority of users won't care; they communicate that way now, and it does not bother them much. It's only those few who want to communicate without paying, in time, money, or privacy, or to communicate in ways other than the standard protocols, who will really suffer. And their complaints will have to fight against the voice of those who will say, well, if you make it end to end, then businesses lose money, and people will be able to share files again and violate copyrights, and all these things will cost jobs and tax dollars, etc, etc. If you want to avoid that future, I strongly suggest you deploy ipv6 and pressure others to do the same. But you're going to need to use valid arguments, about privacy and protection from the deprecations of unscrupulous middlemen, instead of insisting that the Internet will break down and die and locusts will descend from the heavens and eat our first born if we don't. -Dave
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
Mark Smith wrote: On Tue, 27 Apr 2010 14:29:50 -0400 Dave Israel da...@otd.com wrote: On 4/27/2010 1:36 PM, Andy Davidson wrote: On Tue, Apr 20, 2010 at 11:29:59AM -0400, John R. Levine wrote: Did you use Yahoo IM, AIM, or Skype? Yes, yes, and yes. Works fine. What about every other service/protocol that users use today, and might be invented tomorrow ? Do will they all work with NAT ? Sure, I can invent a service/protocol that doesn't work with NAT. While I am at it, I'll make it not work with IPv4, IPv6, Ethernet, an architectures using less than 256 bits of memory addressing. I bet it'll be popular! One already exists. It's called DCCP, or Datagram Congestion Control Protocol - it's like UDP with congestion management. It'd be great to use for Video and Voip, which could then vary the codec parameters to suit congestion should it occur. Shame NAT has stopped it being widely deployed. SCTP could be used to perform peer to peer IM and file transfers, where the file transfer takes place within the existing SCTP connection, rather than having to establish a separate connection. Shame NAT has stopped it being widely deployed. Mark, I think you made Dave's point perfectly. Sure, history will be littered with protocols developed after NAT was widespread but whose designers willfully ignored reality (often committees filled with a bunch of people who wanted to acknowledge reality and a few strong voices who want to pretend there's a world without NAT both now and in the IPv6 future). Many of these won't see wide deployment as a result. You can add SIP and SDP to the list, as those were designed with an FTP-like belief that you can know your local address and send it around in the payload and expect the right thing to happen. (FTP at least had the excuse that it predated NAT deployment)... though SIP, for some inexplicable reason, has survived to make it to wide deployment anyway. Or you can run things like DCCP and SCTP encapsulated in UDP (works just fine), or design a new protocol that combines the best of DCCP and SCTP and DTLS and mix in some IP mobility and other features and deploy it to almost every Internet host (what I did... the protocol is RTMFP and it is in every copy of Flash Player since version 10.0), or design a new protocol for your application which does what DCCP and DTLS do only for your own widely deployed application (as the Skype folks did). All of these are excellent approaches for having something which *actually works*, though impefectly as the backlash against NATs in groups such as the IETF has lead to a big lack of standards around how they should work. Either applications learn to deal with NAT, in which case they thrive on both the heavily-NATed still-mostly-IPv4 Internet of the future *or* the has-NAT mostly-IPv6 Internet of the future (a great way to hedge your bets if you're writing protocols and applications)... or they don't learn to deal with NAT, in which case they don't work on todays IPv4 Internet *and* they won't work on the heavily-NATed still-mostly-IPv4 Internet of one possible future *or* the has-NAT mostly-IPv6 Internet of the future. Those won't be nearly as popular. And in case you don't have handy a short list of why the IPv6 Internet will be filled with NAT, I'll give you three items to start with: 1. SOX, HIPPA, and other audit checklist compliance currently requires NAT for (theoretical) fail-closed and topology hiding. If IPv6 NAT exists, this requirement may not go away. 2. There will be a requirement for client hosts which have IPv6 SLAAC implementations that expose their MAC address in the low address bits to have those bits hidden from the outside Internet. 3. Organizations not large enough to qualify for (or who don't wish to bother with) PI space will deploy NAT so as to avoid internal renumbering of things which must have static addresses (Intranet servers, DNS resolvers, etc.). This is because the IPv6 future where every LAN is carrying multiple PA addresses to every host wasn't sufficiently well designed for it to actually work for either the multihoming case or the interior-network/outside-Internet case. The good news is that it might be sufficient to do pure NAT and not NAPT, and it might be possible still to get some good standards around how these devices should behave... both of which aren't happening for the IPv4 Internet, unfortunately. Matthew Kaufman
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
On Wed, 28 Apr 2010 08:44:41 -0700 Matthew Kaufman matt...@matthew.at wrote: Mark Smith wrote: On Tue, 27 Apr 2010 14:29:50 -0400 Dave Israel da...@otd.com wrote: On 4/27/2010 1:36 PM, Andy Davidson wrote: On Tue, Apr 20, 2010 at 11:29:59AM -0400, John R. Levine wrote: Did you use Yahoo IM, AIM, or Skype? Yes, yes, and yes. Works fine. What about every other service/protocol that users use today, and might be invented tomorrow ? Do will they all work with NAT ? Sure, I can invent a service/protocol that doesn't work with NAT. While I am at it, I'll make it not work with IPv4, IPv6, Ethernet, an architectures using less than 256 bits of memory addressing. I bet it'll be popular! One already exists. It's called DCCP, or Datagram Congestion Control Protocol - it's like UDP with congestion management. It'd be great to use for Video and Voip, which could then vary the codec parameters to suit congestion should it occur. Shame NAT has stopped it being widely deployed. SCTP could be used to perform peer to peer IM and file transfers, where the file transfer takes place within the existing SCTP connection, rather than having to establish a separate connection. Shame NAT has stopped it being widely deployed. Mark, I think you made Dave's point perfectly. Sure, history will be littered with protocols developed after NAT was widespread but whose designers willfully ignored reality (often committees filled with a bunch of people who wanted to acknowledge reality and a few strong voices who want to pretend there's a world without NAT both now and in the IPv6 future). Many of these won't see wide deployment as a result. I'm not people are understanding or know the true reality. NAT broke the Internet's architecture, by turning IP from being a peer-to-peer protocol into a master/slave one (think mainframes and dumb terminals). Read RFC1958 if you don't understand what that means, specifically the 'end-to-end' principle part. IPv6's fundamental goal is to restore end-to-end. You can add SIP and SDP to the list, as those were designed with an FTP-like belief that you can know your local address and send it around in the payload and expect the right thing to happen. (FTP at least had the excuse that it predated NAT deployment)... though SIP, for some inexplicable reason, has survived to make it to wide deployment anyway. Or you can run things like DCCP and SCTP encapsulated in UDP (works just fine), or design a new protocol that combines the best of DCCP and SCTP and DTLS and mix in some IP mobility and other features and deploy it to almost every Internet host (what I did... the protocol is RTMFP and it is in every copy of Flash Player since version 10.0), or design a new protocol for your application which does what DCCP and DTLS do only for your own widely deployed application (as the Skype folks did). All of these are excellent approaches for having something which *actually works*, though impefectly as the backlash against NATs in groups such as the IETF has lead to a big lack of standards around how they should work. Either applications learn to deal with NAT, in which case they thrive on both the heavily-NATed still-mostly-IPv4 Internet of the future *or* the has-NAT mostly-IPv6 Internet of the future (a great way to hedge your bets if you're writing protocols and applications)... or they don't learn to deal with NAT, in which case they don't work on todays IPv4 Internet *and* they won't work on the heavily-NATed still-mostly-IPv4 Internet of one possible future *or* the has-NAT mostly-IPv6 Internet of the future. Those won't be nearly as popular. And in case you don't have handy a short list of why the IPv6 Internet will be filled with NAT, I'll give you three items to start with: 1. SOX, HIPPA, and other audit checklist compliance currently requires NAT for (theoretical) fail-closed and topology hiding. If IPv6 NAT exists, this requirement may not go away. 2. There will be a requirement for client hosts which have IPv6 SLAAC implementations that expose their MAC address in the low address bits to have those bits hidden from the outside Internet. 3. Organizations not large enough to qualify for (or who don't wish to bother with) PI space will deploy NAT so as to avoid internal renumbering of things which must have static addresses (Intranet servers, DNS resolvers, etc.). This is because the IPv6 future where every LAN is carrying multiple PA addresses to every host wasn't sufficiently well designed for it to actually work for either the multihoming case or the interior-network/outside-Internet case. The good news is that it might be sufficient to do pure NAT and not NAPT, and it might be possible still to get some good standards around how these devices should
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
I'm not normally one to respond to NANOG messages with opinions but... Yeah, NAT broke the internet. Yes you can engineer around it. There is NO reason to hold onto NAT as a standard. With v6 we have the opportunity to do it right (or at least semi-right) from the beginning, lets not choose to break it all from the beginning. Don't worry, if you understand basic routing these concepts shouldn't be hard for you. And don't worry, there is still plenty of market for residential firewalls and all but yeah maybe they'll actually have to be a firewall/router as opposed to just a NAT box. So there is my opinion; I don't understand why anyone thinks NAT should be a fundamental part of the v6 internet even after reading almost every message in this thread. It is just a stop-gap v4 measure and yeah, before people understood real security it was a security thing. Lets just move ahead with the good stuff! There'll be plenty of legacy/nostalgia around for years for those who still want to work with it. Just an opinion, Carl
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
On Apr 28, 2010, at 2:38 PM, Carl Rosevear wrote: I don't understand why anyone thinks NAT should be a fundamental part of the v6 internet Perhaps the ability to change service providers without having to renumber? Regards, -drc
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
On Wed, Apr 28, 2010 at 6:54 PM, David Conrad d...@virtualized.org wrote: On Apr 28, 2010, at 2:38 PM, Carl Rosevear wrote: I don't understand why anyone thinks NAT should be a fundamental part of the v6 internet Perhaps the ability to change service providers without having to renumber? Couldn't we use link scope (or other local) addresses to local networks, and have gateways that do 1:1 translation between those addresses and PA space ? Call it NATv6, whatever. Nobody is going to remember addresses by hand, name servers (DNS or local scope as avahi) will be the rule. And DHCPv6 (or router advertisement) is how you provide your hosts access. Maybe internal servers, such as smbfs or NFS, could be only at link scope addresses? No need to renumerate, and full protection from outsiders. Regards, -drc Seriously, Felipe
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
IPv6's fundamental goal is to restore end-to-end. For some. For many, IPv6's fundamental goal is to keep doing what we've been doing without running out of addresses. The fact that the two camps have orthogonal goals is probably part of the reason the rate of growth on IPv6 is so slow. -- Dave Pooser, ACSA Manager of Information Services Alford Media http://www.alfordmedia.com
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
On Wed, 2010-04-28 at 14:54 -0700, David Conrad wrote: On Apr 28, 2010, at 2:38 PM, Carl Rosevear wrote: I don't understand why anyone thinks NAT should be a fundamental part of the v6 internet Perhaps the ability to change service providers without having to renumber? DHCPv6 solves that issue if implemented correctly in the CPE firewall/router appliance. William
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
In message 01f57362-8092-48cb-8336-15b9cc171...@virtualized.org, David Conrad writes: On Apr 28, 2010, at 2:38 PM, Carl Rosevear wrote: I don't understand why anyone thinks NAT should be a fundamental part = of the v6 internet=20 Perhaps the ability to change service providers without having to = renumber? We have that ability already. Doesn't require NAT. Regards, -drc -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
--- On Wed, 4/28/10, Mark Smith na...@85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org wrote: I'm not people are understanding or know the true reality. NAT broke the Internet's architecture, by turning IP from being a peer-to-peer protocol into a master/slave one (think mainframes and dumb terminals). Read RFC1958 if you don't understand what that means, specifically the 'end-to-end' principle part. IPv6's fundamental goal is to restore end-to-end. And this, in a few short sentences, is why IPv6 adoption has been so incredibly slow and frustrating. For some of us, IPv6's primary benefit is solving the 32 bits aren't enough problem. For others, the commercial Internet architecture which evolved is aesthetically offensive, and they see IPv6 as the corrective mechanism. Only one of those two has any sort of time constraint (read: necessity), and it isn't the latter. The end-to-end principle is grand, I agree - but there are lots of commercial considerations which I find have a higher priority for my customers. David Barak Need Geek Rock? Try The Franchise: http://www.listentothefranchise.com
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
Mark, On Apr 28, 2010, at 3:07 PM, Mark Andrews wrote: Perhaps the ability to change service providers without having to renumber? We have that ability already. Doesn't require NAT. Cool! You've figured out, e.g., how to renumber authoritative name servers that you don't have direct control over! And modify filter lists on a firewalls across an enterprise network! And remotely update provisioning systems and license managers without interrupting services! Etc., etc. http://www.rfc-editor.org/internet-drafts/draft-carpenter-renum-needs-work-05.txt A tiny home office network managed by a highly technical individual with full control over all aspects of the network is not a good model on which to base the definition of we. Regards, -drc
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
In message a3f2ff6f-afe3-4ed1-ad33-5b6277249...@virtualized.org, David Conrad writes: Mark, On Apr 28, 2010, at 3:07 PM, Mark Andrews wrote: Perhaps the ability to change service providers without having to = renumber? =20 We have that ability already. Doesn't require NAT. Cool! You've figured out, e.g., how to renumber authoritative name = servers that you don't have direct control over! Don't do that. It was a deliberate design decision to use names rather than IP addesses in NS records. This allows the operators of the nameservers to change their addresses when they need to. B.T.W. we have the technology to automatically update delegations if we need to and have for the last 10 years. People just need to stop being scared about doing it. And modify filter = lists on a firewalls across an enterprise network! And remotely update = provisioning systems and license managers without interrupting services! = Etc., etc. http://www.rfc-editor.org/internet-drafts/draft-carpenter-renum-needs-work= -05.txt A tiny home office network managed by a highly technical individual with = full control over all aspects of the network is not a good model on = which to base the definition of we. Regards, -drc Well if you insist on using IP addresses rather than real crypto for access control. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
On Wed, 28 Apr 2010 14:54:04 PDT, David Conrad said: On Apr 28, 2010, at 2:38 PM, Carl Rosevear wrote: I don't understand why anyone thinks NAT should be a fundamental part of the v6 internet Perhaps the ability to change service providers without having to renumber? RFC4193 or PI address space, depending what problem you're trying to solve by not renumbering. pgpmmoiwHODy6.pgp Description: PGP signature
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
On Tue, Apr 20, 2010 at 11:29:59AM -0400, John R. Levine wrote: Did you use Yahoo IM, AIM, or Skype? Yes, yes, and yes. Works fine. What about every other service/protocol that users use today, and might be invented tomorrow ? Do will they all work with NAT ? Do many others work as well or act reliably through NAT ? Will it stop or hamper the innovation of new services on the internet ? The answer to these questions isn't a good one for users, so as the community that are best placed to defend service quality and innovation by preserving the end to end principal, it is our responsibility to defend it to the best of our ability. So get busy - v6 awareness, availability and abundancy are overdue for our end users. Andy
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
Andy Davidson wrote: On Tue, Apr 20, 2010 at 11:29:59AM -0400, John R. Levine wrote: Did you use Yahoo IM, AIM, or Skype? Yes, yes, and yes. Works fine. What about every other service/protocol that users use today, and might be invented tomorrow ? Do will they all work with NAT ? Anyone inventing a new service/protocol that doesn't work with NAT isn't planning on success. Do many others work as well or act reliably through NAT ? Yes. Will it stop or hamper the innovation of new services on the internet ? Hasn't so far. The answer to these questions isn't a good one for users, so as the community that are best placed to defend service quality and innovation by preserving the end to end principal, it is our responsibility to defend it to the best of our ability. Firewalls will always break the end-to-end principle, whether or not addresses are identical between the inside and outside or not. So get busy - v6 awareness, availability and abundancy are overdue for our end users. Maybe. Most of them are perfectly happy. Matthew Kaufman
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
On 27/04/2010 18:48, Matthew Kaufman wrote: Anyone inventing a new service/protocol that doesn't work with NAT isn't planning on success. You mean, like multisession bgp over tls? Nick, just sayin'
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
On Tue, 27 Apr 2010 10:48:54 PDT, Matthew Kaufman said: Anyone inventing a new service/protocol that doesn't work with NAT isn't planning on success. Only true in the IPv4 world. IPv6 will hopefully be different. The answer to these questions isn't a good one for users, so as the community that are best placed to defend service quality and innovation by preserving the end to end principal, it is our responsibility to defend it to the best of our ability. Firewalls will always break the end-to-end principle, whether or not addresses are identical between the inside and outside or not. The difference is that if a protocol wants to be end-to-end, I can fix a firewall to not break it. You don't have that option with a NAT. So get busy - v6 awareness, availability and abundancy are overdue for our end users. Maybe. Most of them are perfectly happy. Most of the US population was perfectly happy just before the recent financial crisis hit. Ignorance is bliss - but only for a little while. pgp37Bg0L9uoK.pgp Description: PGP signature
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
On 4/27/2010 1:36 PM, Andy Davidson wrote: On Tue, Apr 20, 2010 at 11:29:59AM -0400, John R. Levine wrote: Did you use Yahoo IM, AIM, or Skype? Yes, yes, and yes. Works fine. What about every other service/protocol that users use today, and might be invented tomorrow ? Do will they all work with NAT ? Sure, I can invent a service/protocol that doesn't work with NAT. While I am at it, I'll make it not work with IPv4, IPv6, Ethernet, an architectures using less than 256 bits of memory addressing. I bet it'll be popular! Do many others work as well or act reliably through NAT ? Yes, nearly everything that end users use works great through NAT, because end users are often behind NAT and for a service to be popular, it has to be NAT-friendly. Protocols that are not NAT friendly and yet survive are generally LAN applications that are resting on their NAT-unferiendliness and calling it security. Will it stop or hamper the innovation of new services on the internet ? Nope. The answer to these questions isn't a good one for users, so as the community that are best placed to defend service quality and innovation by preserving the end to end principal, it is our responsibility to defend it to the best of our ability. The end to end principle only helps service quality and innovation when the services are built on an end to end model. In a client-server world where addresses only identify groups of endpoints and individual identification is done at higher layers (which is what the ipv4+NAT Internet is looking like), end to endness is an anomaly, not the norm. So get busy - v6 awareness, availability and abundancy are overdue for our end users. Nearly all of the end users don't give a rat's hindquarters about ipv6. It gives them nothing they know that they want. Meanwhile, those who do know they want it are getting used to working around it, using PAT tricks and STUN services. Should people *have* to use those services? No. But there's so many other things that we shouldn't have to do, but we do anyway because that's how it works, that these NAT-circumvention tricks are not a dealbreaker. Meanwhile, the NATification of the Internet continuously increases the contrast between services (with real addresses) and clients (with shared addresses). Over time, this differentiation will increase and become more and more a standard (a de facto one if not an actual codified one.) Clients will have shared, ephemeral addresses, and services will have stable ones. This helps ensure that clients cannot generally communicate without a facilitating service, and every transaction will then have a middleman, somebody you have to pay somehow to get your services. You may pay in cash, by watching commercials, by sacrificing personal information, or by submitting your communciations to analysis by others, but somehow, you will pay. The vast majority of users won't care; they communicate that way now, and it does not bother them much. It's only those few who want to communicate without paying, in time, money, or privacy, or to communicate in ways other than the standard protocols, who will really suffer. And their complaints will have to fight against the voice of those who will say, well, if you make it end to end, then businesses lose money, and people will be able to share files again and violate copyrights, and all these things will cost jobs and tax dollars, etc, etc. If you want to avoid that future, I strongly suggest you deploy ipv6 and pressure others to do the same. But you're going to need to use valid arguments, about privacy and protection from the deprecations of unscrupulous middlemen, instead of insisting that the Internet will break down and die and locusts will descend from the heavens and eat our first born if we don't. -Dave
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
On Tue, 27 Apr 2010 valdis.kletni...@vt.edu wrote: The difference is that if a protocol wants to be end-to-end, I can fix a firewall to not break it. You don't have that option with a NAT. Maybe we want end-to-end to break. Firewalls can trivially be misconfigured such that they're little more than routers, fully exposing all the hosts behind them to everything bad the internet has to offer (hackers, malware looking to spread itself, etc.). At least with NAT, if someone really screws up the config, the inside stuff is all typically on non-publicly-routed IPs, so the worst likely to happen is they lose internet, but at least the internet can't directly reach them. This has to be one of the bigger reasons people actually like using NAT. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
On Apr 27, 2010, at 10:48 AM, Matthew Kaufman wrote: Andy Davidson wrote: On Tue, Apr 20, 2010 at 11:29:59AM -0400, John R. Levine wrote: Did you use Yahoo IM, AIM, or Skype? Yes, yes, and yes. Works fine. What about every other service/protocol that users use today, and might be invented tomorrow ? Do will they all work with NAT ? Anyone inventing a new service/protocol that doesn't work with NAT isn't planning on success. Respectfully, I disagree. There are many possible innovations that are available in a NAT-less world and it is desirable to get to that point rather than hamper future innovation with this obsolete baggage. Do many others work as well or act reliably through NAT ? Yes. In reality, it's more like some yes, some not so much. Will it stop or hamper the innovation of new services on the internet ? Hasn't so far. Here I have to call BS... I know of a number of cases where it has. The answer to these questions isn't a good one for users, so as the community that are best placed to defend service quality and innovation by preserving the end to end principal, it is our responsibility to defend it to the best of our ability. Firewalls will always break the end-to-end principle, whether or not addresses are identical between the inside and outside or not. Yes and no. Firewalls will always break the idea of global universal end-to-end reachability. The do not break the end-to-end principle except when NAT is involved. The end-to-end principle is that the original layer 3+ information arrives at the layer 3 destination un-mangled by intermediate devices when it is a permitted type of traffic. Blocking unwanted flows does not break the end-to-end principle. Maiming and distorting data contained in the datagram, including the headers, on the other hand does break the end-to-end principle. So get busy - v6 awareness, availability and abundancy are overdue for our end users. Maybe. Most of them are perfectly happy. This word Most, it does not mean what you appear to think it means. Owen
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
On Tue, 27 Apr 2010 14:37:08 EDT, Jon Lewis said: Maybe we want end-to-end to break. Firewalls can trivially be misconfigured such that they're little more than routers, fully exposing all the hosts behind them to everything bad the internet has to offer (hackers, malware looking to spread itself, etc.). At least with NAT, if someone really screws up the config, the inside stuff is all typically on non-publicly-routed IPs, so the worst likely to happen is they lose internet, but at least the internet can't directly reach them. You *do* realize that the skill level needed to misconfigure a firewall into that state, and the skill level needed to do the exact same thing to a firewall-NAT box, are *both* less than the skill level needed to remember to also deploy traffic monitors so you know you screwed up, and host-based firewalls to guard against chuckleheads screwing up the border box? In other words, if your security scheme relies on that supposed feature of NAT, you have *other* things you need to be working on. pgp92Zt0KYD5H.pgp Description: PGP signature
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
Owen DeLong wrote: On Apr 27, 2010, at 10:48 AM, Matthew Kaufman wrote: Andy Davidson wrote: On Tue, Apr 20, 2010 at 11:29:59AM -0400, John R. Levine wrote: Did you use Yahoo IM, AIM, or Skype? Yes, yes, and yes. Works fine. What about every other service/protocol that users use today, and might be invented tomorrow ? Do will they all work with NAT ? Anyone inventing a new service/protocol that doesn't work with NAT isn't planning on success. Respectfully, I disagree. There are many possible innovations that are available in a NAT-less world and it is desirable to get to that point rather than hamper future innovation with this obsolete baggage. I would argue that every one of those innovations, if even passably useful, can also be implemented in a NAT-full world. Do many others work as well or act reliably through NAT ? Yes. In reality, it's more like some yes, some not so much. == Some designed to work properly in the face of NAT, some ignored reality at their peril. Will it stop or hamper the innovation of new services on the internet ? Hasn't so far. Here I have to call BS... I know of a number of cases where it has. Ok, you called it... so where's the list of such services that haven't materialized as a result of NAT? Matthew Kaufman
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
On Tue, 27 Apr 2010 valdis.kletni...@vt.edu wrote: At least with NAT, if someone really screws up the config, the inside stuff is all typically on non-publicly-routed IPs, so the worst likely to happen is they lose internet, but at least the internet can't directly reach them. You *do* realize that the skill level needed to misconfigure a firewall into that state, and the skill level needed to do the exact same thing to a firewall-NAT box, are *both* less than the skill level needed to remember to also deploy traffic monitors so you know you screwed up, and host-based firewalls to guard against chuckleheads screwing up the border box? I think you forget where most networking is done. Monitoring? You mean something beyond walking down the hall to the network closet and seeing all the blinking lights are flashing really fast? How about the typical home DSL/Cable modem user? Do you think they even know what SNMP is? Do you think they have host based firewalls on all their PCs? Do you want mom and dad's PCs exposed on the internet, or neatly hidden behind a NAT device they don't even realize is built into their cable/DSL router? -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
On Apr 27, 2010, at 11:49 AM, Matthew Kaufman wrote: Owen DeLong wrote: On Apr 27, 2010, at 10:48 AM, Matthew Kaufman wrote: Andy Davidson wrote: On Tue, Apr 20, 2010 at 11:29:59AM -0400, John R. Levine wrote: Did you use Yahoo IM, AIM, or Skype? Yes, yes, and yes. Works fine. What about every other service/protocol that users use today, and might be invented tomorrow ? Do will they all work with NAT ? Anyone inventing a new service/protocol that doesn't work with NAT isn't planning on success. Respectfully, I disagree. There are many possible innovations that are available in a NAT-less world and it is desirable to get to that point rather than hamper future innovation with this obsolete baggage. I would argue that every one of those innovations, if even passably useful, can also be implemented in a NAT-full world. Perhaps, but, often at significant additional code, development time, QA resources and other costs. Also, often at a degraded level requiring a non-NAT'd third-party broker to intermediate between any two NAT'd parties attempting to trade information. Do many others work as well or act reliably through NAT ? Yes. In reality, it's more like some yes, some not so much. == Some designed to work properly in the face of NAT, some ignored reality at their peril. We can agree to disagree about this. The reality is that there are cool things you can do with peer to peer networking that simply aren't possible in an enforced client-server model. NAT enforces a client-server model and permanently and irrevocably relegates some administrative domains to the client role. This is an unfair disadvantage to the users within those domains when it is not by the choice of the administrator (and NAT in IPv4 so far, often is not). Will it stop or hamper the innovation of new services on the internet ? Hasn't so far. Here I have to call BS... I know of a number of cases where it has. Ok, you called it... so where's the list of such services that haven't materialized as a result of NAT? Haven't materialized, for one, is an attempt to redefine the question. Note that the original question included hamper. I would argue that the cost of maintaining a NAT compatibility lab and the QA staff to use it is a sufficient burden to call it hamper. For the ones that did not materialize, however, I am at an unfortunate disadvantage in the argument. I can tell you that I know of at least 5 such cases. However, I cannot reveal the details because I am under NDA to the companies that were developing these products. I can tell you that in 3 of the 5 cases, adapting them to cope with a NAT world would have required the company to run an external service in perpetuity (or at least so long as the application would function, no server, no function) in order to do the match-making between clients that could not directly reach each-other. I guess a good analogy is this: In a NAT world, you have only matchmaking services and all of your ability to meet potential mates is strictly controlled through these matchmaking services. There are many services available independent of each other, and, each has its own limitations, biases, and quirks. However, you cannot meet potential mates without involving at least one matchmaker. In a NAT-Free world, you have the ability to use a matchmaking service if you like, but, you also have the ability to meet potential mates at bars, in the grocery store, on the street, in restaurants, through chance meetings, introductions by a friend, or even at work. It is possible that if you never knew it was possible to meet potential mates in all of these other ways, you would happily deal with a vast number of matchmaking services hoping to find a useful result. On the other hand, if you were to ask the average person who has experienced the latter scenario if they would be willing to limit their choices to only using a dating service, my guess would be that most people would reject the idea outright. Owen
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
On Tue, 27 Apr 2010 14:54:07 EDT, Jon Lewis said: I think you forget where most networking is done. Monitoring? You mean something beyond walking down the hall to the network closet and seeing all the blinking lights are flashing really fast? That site will manage to chucklehead their config whether or not it's NAT'ed. How about the typical home DSL/Cable modem user? And they won't manage to chucklehead their config, even if it's not NAT'ed. Do you think they even know what SNMP is? Do you think they have host based firewalls on all their PCs? Hmm... Linux has a firewall. MacOS has a firewall. Windows XP SP2 or later has a perfectly functional firewall out of the box, and earlier Windows had a firewall but it didn't do 'default deny inbound' out of the box. Those people with XBoxes and Playstations and so on can take it up with their vendors - they were certainly *marketed* as plug it in and network, and at least my PS/2 and PS/3 didn't come with a Warning: Do Not Use Without a NAT sticker on them. So who doesn't have a host-based firewall in 2010? The idea is old enough that it's *really* time to play name-and-blame. Do you want mom and dad's PCs exposed on the internet, or neatly hidden behind a NAT device they don't even realize is built into their cable/DSL router? Be careful here - I know that at least in my neck of Comcast cable, you can go to Best Buy, get a cablemodem, plug the cable in one side, plug an ethernet and one machine in the other side, and be handed a live on-the-network DHCP address that works just fine except for outbound port 25 being blocked. For the past month or so, my laptop has gotten 71.63.92.124 every night when I get home, which certainly doesn't look very NAT'ed. Are you *really* trying to suggest that a PC is not fit-for-purpose for that usage, and *requires* a NAT and other hand-holding? And for the record - I don't worry about my mother's PC being exposed on the Internet, because she's running Vista, which has a sane firewall by default. What *does* worry me is that she's discovered Facebook, and anything she clicks on there will not have the *slightest* bit of trouble whomping her machine through a NAT. Let's be realistic - what was the last time we had a *real* threat that a NAT would have stopped but the XP SP2 firewall would not have stopped? And how many current threats do we have that are totally NAT-agnostic? pgpgrdKEWuLRD.pgp Description: PGP signature
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
On Tue, 27 Apr 2010 valdis.kletni...@vt.edu wrote: That site will manage to chucklehead their config whether or not it's NAT'ed. True...but when they do it and all their important stuff is in 192.168.0/24, you still can't reach it...and if they break NAT, at least their internet breaks. i.e. they'll know its broken. When they change the default policy on the firewall to Accept/Allow all, everything will still work...until all their machines are infected with enough stuff to break them. Hmm... Linux has a firewall. MacOS has a firewall. Windows XP SP2 or later has a perfectly functional firewall out of the box, and earlier Windows had a firewall but it didn't do 'default deny inbound' out of the box. Linux can have a firewall. Not all distros default to having any rules. XP can (if you want to call it that). I don't have any experience with MacOS. Both my kids run Win2k (to support old software that doesn't run well/at all post-2k). I doubt that's all that unusual. Are you *really* trying to suggest that a PC is not fit-for-purpose for that usage, and *requires* a NAT and other hand-holding? Here's an exercise. Wipe a PC. Put it on that cable modem with no firewall. Install XP on it. See if you can get any service packs installed before the box is infected. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
On Apr 27, 2010, at 2:25 PM, Jon Lewis wrote: On Tue, 27 Apr 2010 valdis.kletni...@vt.edu wrote: That site will manage to chucklehead their config whether or not it's NAT'ed. True...but when they do it and all their important stuff is in 192.168.0/24, you still can't reach it...and if they break NAT, at least their internet breaks. i.e. they'll know its broken. When they change the default policy on the firewall to Accept/Allow all, everything will still work...until all their machines are infected with enough stuff to break them. Nah... They'll chucklehead forward something to 135-139/TCP on the box with all the important stuff just fine. NAT won't save them from this. Hmm... Linux has a firewall. MacOS has a firewall. Windows XP SP2 or later has a perfectly functional firewall out of the box, and earlier Windows had a firewall but it didn't do 'default deny inbound' out of the box. Linux can have a firewall. Not all distros default to having any rules. XP can (if you want to call it that). I don't have any experience with MacOS. Both my kids run Win2k (to support old software that doesn't run well/at all post-2k). I doubt that's all that unusual. And the rest of the world should pay for your kid's legacy requirements why? Are you *really* trying to suggest that a PC is not fit-for-purpose for that usage, and *requires* a NAT and other hand-holding? Here's an exercise. Wipe a PC. Put it on that cable modem with no firewall. Install XP on it. See if you can get any service packs installed before the box is infected. 1. Yes, I can. I simply didn't put an IPv4 address on it. ;-) 2. I wouldn't hold XP up as the gold standard of hosts here. Owen
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
On Tue, Apr 27, 2010 at 4:25 PM, Jon Lewis jle...@lewis.org wrote: breaks. i.e. they'll know its broken. When they change the default policy on the firewall to Accept/Allow all, everything will still work...until all their machines are infected with enough stuff to break them. The same is true with IPv4 + NAT, in terms of real-world net security. Because security attacks against end-user equipment commonly come from either an e-mail message the user is expected to errantly click on, or a malicious website, designed to exploit the latest $MsOffice_Acrobat_Javascript_OR_Flash_Vuln_DU_Jour. If user accidentally turns off their outbound filtering software, even the IPv4 user behind a NAT setup still have a pretty bad security posture. Fortunately, the IPv6 address space is so large and sparse, that scanning it would be quite a feat, even if a random outside attacker already knew for a fact that a certain /64 probably contains a vulnerable host. Scanning IPv6 addresses by brute force, is as computationally hard as figuring out the 16-bit port number pairs of an IPv4 NAT user's open connection, in order to fool their NAT device and partially hijack the user's HTTP connection and inject malicious code into their stream. By the way, if an attacker actually can figure out the port number pairs of a session recognized by the NAT device, the illusion of security offered by the NAT setup potentially starts to crumble either way it's 32-bits to be guessed within a fairly limited timeframe. -- -J
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
In message pine.lnx.4.61.1004271718210.5...@soloth.lewis.org, Jon Lewis writes: Both my kids run Win2k (to support old software that doesn't run well/at all post-2k). I doubt that's all that unusual. Then they won't have IPv6 and hence are irrelevent to the discussion about IPv6 NAT. As for built in firewalls, even my brother printer as a firewall built into it and it supports IPv6. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
Owen DeLong wrote: On Apr 27, 2010, at 11:49 AM, Matthew Kaufman wrote: Owen DeLong wrote: On Apr 27, 2010, at 10:48 AM, Matthew Kaufman wrote: Andy Davidson wrote: On Tue, Apr 20, 2010 at 11:29:59AM -0400, John R. Levine wrote: Did you use Yahoo IM, AIM, or Skype? Yes, yes, and yes. Works fine. What about every other service/protocol that users use today, and might be invented tomorrow ? Do will they all work with NAT ? Anyone inventing a new service/protocol that doesn't work with NAT isn't planning on success. Respectfully, I disagree. There are many possible innovations that are available in a NAT-less world and it is desirable to get to that point rather than hamper future innovation with this obsolete baggage. I would argue that every one of those innovations, if even passably useful, can also be implemented in a NAT-full world. Perhaps, but, often at significant additional code, development time, QA resources and other costs. Also, often at a degraded level requiring a non-NAT'd third-party broker to intermediate between any two NAT'd parties attempting to trade information. Yes, there's additional development, but if NAT was more standardized (which it has a chance of being for IPv6, if we'd just stop arguing about whether or not it is going to happen... it'll happen, the question is whether or not there'll be a standard to follow) that development cost could be nearly a one-time library cost vs. custom code to deal with every situation and changing situations. Do many others work as well or act reliably through NAT ? Yes. In reality, it's more like some yes, some not so much. == Some designed to work properly in the face of NAT, some ignored reality at their peril. We can agree to disagree about this. The reality is that there are cool things you can do with peer to peer networking that simply aren't possible in an enforced client-server model. Agreed. NAT enforces a client-server model and permanently and irrevocably relegates some administrative domains to the client role. This is an unfair disadvantage to the users within those domains when it is not by the choice of the administrator (and NAT in IPv4 so far, often is not). No. Most NAT *doesn't* enforce a client-server model, it enforces a deliberate signaling model for establishing peer-to-peer communication, and allows open client-server communication (and most communication is, and will forever be, client-server). Assuming, again, that the NATs behave reasonably when trying to do peer-to-peer communication through them, which most (over 90% of what's deployed for IPv4) do. And *all* could, if there were standards people could code to. Which, again, for IPv6 there could be, if we'd stop claiming that NAT will never happen / is a bad idea and so shouldn't be standardized / etc. Will it stop or hamper the innovation of new services on the internet ? Hasn't so far. Here I have to call BS... I know of a number of cases where it has. Ok, you called it... so where's the list of such services that haven't materialized as a result of NAT? Haven't materialized, for one, is an attempt to redefine the question. Note that the original question included hamper. I would argue that the cost of maintaining a NAT compatibility lab and the QA staff to use it is a sufficient burden to call it hamper. Again, such a lab would not be needed if NAT operation were codified in standards. Which could happen, if not for the vocal set who keeps arguing against them, even when there's 5+ good reasons for them, even in IPv6. For the ones that did not materialize, however, I am at an unfortunate disadvantage in the argument. I can tell you that I know of at least 5 such cases. However, I cannot reveal the details because I am under NDA to the companies that were developing these products. I can tell you that in 3 of the 5 cases, adapting them to cope with a NAT world would have required the company to run an external service in perpetuity (or at least so long as the application would function, no server, no function) in order to do the match-making between clients that could not directly reach each-other. I guess a good analogy is this: In a NAT world, you have only matchmaking services and all of your ability to meet potential mates is strictly controlled through these matchmaking services. There are many services available independent of each other, and, each has its own limitations, biases, and quirks. However, you cannot meet potential mates without involving at least one matchmaker. True, but that's essentially true for all software, and certainly true for all web-based software. In a NAT-Free world, you have
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
James Hess wrote: Fortunately, the IPv6 address space is so large and sparse, that scanning it would be quite a feat, even if a random outside attacker already knew for a fact that a certain /64 probably contains a vulnerable host. All I need to do is run a popular web site on the IPv6 Internet, and I get all the addresses of connected hosts I want. That address-space-scanning is hard is nearly irrelevant. Matthew Kaufman
the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
I'll preface this that I'm more of an end user then a network administrator, but I do feel I have a good enough understanding of the protocols and network administration to submit my two cents. The issue I see with this level of NAT, is the fact that I don't expect that UPNP be implemented at that level. I would see UPNP as being a security risk and prone to denial of service attacks when you have torrent clients attempting to grab every available port. Now that's going to create problems with services like Xbox Live which require UPNP to fully function since at least on one persons connection so they can host the game. When you're looking at player counts in the millions I'm fairly sure that they are going to be effected by CGN. That's one application I expect to see break by such large scale NAT implementations.
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
On Tue, Apr 27, 2010, Matthew Kaufman wrote: Fortunately, the IPv6 address space is so large and sparse, that scanning it would be quite a feat, even if a random outside attacker already knew for a fact that a certain /64 probably contains a vulnerable host. All I need to do is run a popular web site on the IPv6 Internet, and I get all the addresses of connected hosts I want. That address-space-scanning is hard is nearly irrelevant. or troll popular IPv6 bittorent end points when that becomes popular. Adrian
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
John R. Levine jo...@iecc.com writes: Did you run any services? Of course not, it's consumer DSL. I run services on my server which is somewhere else and tunnel in via ssh which, of course, works fine through NAT. Take a look at all those small SOHO storage boxes. They all offer web and FTP services and they all support something like dyndns. Customers want these features and are using these features. Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
Did you use Yahoo IM, AIM, or Skype? Yes, yes, and yes. Works fine. Did you use any of those for Video Chat and/or to transfer files? Skype video chat, all the time, works fine. Don't remember about file transfer. Did you do any peer to peer filesharing? Yeah, I got the latest Freebsd via bittorrent, and left it up overnight and observed from the stats that it served chunks of it back to other people. Did you play any MMOs? No, I noted the game players. Did you run any services? Of course not, it's consumer DSL. I run services on my server which is somewhere else and tunnel in via ssh which, of course, works fine through NAT. When you add in the other things that break which I have outlined above, you start to approach 75%. I would argue that 75% is a significant and meaningful fraction of an ISPs customer base. The hypthetical network that your consumers would use appears to be very different from the actual one available to consumers around here. R's, John
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
On Tue, 20 Apr 2010, John R. Levine wrote: Skype video chat, all the time, works fine. Don't remember about file transfer. Whenever I am behind NAT and talk to someone else who is behind NAT skype seems to lower the quality, my guess it's because it now bounces traffic via another non-NATed node. These kind of applications work best if there is at least one non-NATed party involved, especially for video etc. -- Mikael Abrahamssonemail: swm...@swm.pp.se
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
On 4/20/10 6:38 PM, Mikael Abrahamsson wrote: On Tue, 20 Apr 2010, John R. Levine wrote: Skype video chat, all the time, works fine. Don't remember about file transfer. Whenever I am behind NAT and talk to someone else who is behind NAT skype seems to lower the quality, my guess it's because it now bounces traffic via another non-NATed node. These kind of applications work best if there is at least one non-NATed party involved, especially for video etc. My own experience is that skype quality lags that of iChat A/V, but I had always attributed that to iChat having better codecs. I could be wrong. iChat A/V, on the other hand, seems to have a heart attack when both sides have private addresses, and the firewall configuration is non-trivial. But I think we're going about this the wrong way. I wonder if we could change the way we do business in the longer term if everyone had public address space. As an application guy, I dislike the fact that people have to rely on some sort of service to share their calendars. That makes great sense for the service provider, and it even makes sense for the consumer right now due to the state of the art. But perhaps the times could change. There are lots of use cases where connecting into the house would be nice. Baby monitoring, security monitoring, Smart this, smart that, etc. Instead we require extra middleware to make it all work. The economics are, if nothing else, a painful lesson. Eliot
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
On Tue, 20 Apr 2010 18:38:33 +0200 (CEST) Mikael Abrahamsson swm...@swm.pp.se wrote: On Tue, 20 Apr 2010, John R. Levine wrote: Skype video chat, all the time, works fine. Don't remember about file transfer. Whenever I am behind NAT and talk to someone else who is behind NAT skype seems to lower the quality, my guess it's because it now bounces traffic via another non-NATed node. I think that means skype will be ported to IPv6 pretty quickly. CGN/LSN is going to dramatically reduce the number of 'super nodes' with public IPv4 addresses to relay calls through. That'll be particularly unfair to people in Australia, because here we have a per-month quota system e.g. 20GB of downloads and/or uploads a month. I wouldn't want my quota being chewed up by lots of other people's phone calls. These kind of applications work best if there is at least one non-NATed party involved, especially for video etc. -- Mikael Abrahamssonemail: swm...@swm.pp.se Regards, Mark.