Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[Mark Smith]

On Thu, 29 Apr 2010 08:22:47 -0700
Bill Stewart nonobvi...@gmail.com wrote:

 On Tue, Apr 27, 2010 at 3:24 PM, Owen DeLong o...@delong.com wrote:
  Here's an exercise.  Wipe a PC.  Put it on that cable modem with no 
  firewall.  Install XP on it.  See if you can get any service packs 
  installed before the box is infected.
  1.      Yes, I can.  I simply didn't put an IPv4 address on it. ;-)
  2.      I wouldn't hold XP up as the gold standard of hosts here.
 
 One of my coworkers was IPv6ing his home network.  He had to turn off
 the Windows firewall on the machine with the IPv6 tunnel for a couple
 of minutes to install some stubborn software.  Then he had to reimage
 the box because it was pwned, and he's pretty sure that the infection
 came in over the IPv6 tunnel, not the hardware-firewalled IPv4.
 

Your friend should learn about causation verses correlation

http://en.wikipedia.org/wiki/Correlation_does_not_imply_causation

Every noticed how people who have car accidents got out of bed that
morning?


 -- 
 
  Thanks; Bill
 
 Note that this isn't my regular email account - It's still experimental so 
 far.
 And Google probably logs and indexes everything you send it.
 

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[David Conrad]

Paul,

On Apr 29, 2010, at 8:29 AM, Paul Timmins wrote:
 If you change ISPs, send out an RA with the new addresses, wait a bit, then 
 send out an RA with lifetime 0 on the old address.

Even if this works (and I know a lot of applications that use the socket() API 
that effectively cache the address returned by DNS for the lifetime of the 
application), how does this help situations where IPv6 address literals are 
specified in configuration files, e.g., resolv.conf, glue for authoritative DNS 
servers, firewalls/filters, network management systems, etc.?  See sections 5 
and 7 of 
http://www.rfc-editor.org/internet-drafts/draft-carpenter-renum-needs-work-05.txt

The point here is that if there is a non-zero cost associated with renumbering, 
there will be non-zero incentive to deploy technologies such as NATv6 to reduce 
that cost.  Some folks have made the argument that for sites large enough for 
the cost of renumbering to be significant, they should be able to justify 
provider independent space and be willing to accept the administrative and 
financial cost. While this may be the case (I have some doubts that many of the 
folks using PA space now will be all that interested in dealing with the RIR 
system, but I may be biased), it does raise concerns about routing system 
growth and forces ISPs to be willing to accept long IPv6 prefixes from end 
users (which some ISPs have already said they won't do).

Regards,
-drc

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[Owen DeLong]

On Apr 30, 2010, at 6:26 PM, David Conrad wrote:

 Paul,
 
 On Apr 29, 2010, at 8:29 AM, Paul Timmins wrote:
 If you change ISPs, send out an RA with the new addresses, wait a bit, then 
 send out an RA with lifetime 0 on the old address.
 
 Even if this works (and I know a lot of applications that use the socket() 
 API that effectively cache the address returned by DNS for the lifetime of 
 the application), how does this help situations where IPv6 address literals 
 are specified in configuration files, e.g., resolv.conf, glue for 
 authoritative DNS servers, firewalls/filters, network management systems, 
 etc.?  See sections 5 and 7 of 
 http://www.rfc-editor.org/internet-drafts/draft-carpenter-renum-needs-work-05.txt
 
Ideally, in the vast majority of cases, resolv.conf is populated by dhcpv6 or 
it's successor.

It is actually possible (although I agree questionable practice) to have your 
NS glue records updated dynamically.

Firewalls and NMS can usually be done by copying the existing rulesets and 
doing a global SR on the affected prefix.

It's not like a v4 renumbering. You'll still be dealing with a 1:1 replacement 
of the prefix and the suffixes don't need to change.

IPv6 also has the convenient concept of preferred and valid lifetimes on 
addresses facilitating a convenient overlap period while both prefixes still 
work, but, new flows should be universally originated from the specified 
prefix. This makes it easier to identify hosts in need of manual intervention 
by monitoring for traffic sourced from the incorrect prefix.

 The point here is that if there is a non-zero cost associated with 
 renumbering, there will be non-zero incentive to deploy technologies such as 
 NATv6 to reduce that cost.  Some folks have made the argument that for sites 
 large enough for the cost of renumbering to be significant, they should be 
 able to justify provider independent space and be willing to accept the 
 administrative and financial cost. While this may be the case (I have some 
 doubts that many of the folks using PA space now will be all that interested 
 in dealing with the RIR system, but I may be biased), it does raise concerns 
 about routing system growth and forces ISPs to be willing to accept long IPv6 
 prefixes from end users (which some ISPs have already said they won't do).
 
There is a non-zero cost associated with renumbering.  However, it is much 
closer to zero than in IPv4.  There is also a non-zero cost to NAT. 
Unfortunately, the costs of NAT are more on the toxic polluter basis, where you 
must pay your own tab for renumbering. As such, NAT in IPv6 will probably be as 
popular as SPAM is in IPv4, to about the same level of detriment.

Owen

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[Paul Timmins]

David Conrad wrote:

Paul,

On Apr 29, 2010, at 8:29 AM, Paul Timmins wrote:
  

If you change ISPs, send out an RA with the new addresses, wait a bit, then 
send out an RA with lifetime 0 on the old address.



Even if this works (and I know a lot of applications that use the socket() API 
that effectively cache the address returned by DNS for the lifetime of the 
application), how does this help situations where IPv6 address literals are 
specified in configuration files, e.g., resolv.conf, glue for authoritative DNS 
servers, firewalls/filters, network management systems, etc.?  See sections 5 
and 7 of 
http://www.rfc-editor.org/internet-drafts/draft-carpenter-renum-needs-work-05.txt

The point here is that if there is a non-zero cost associated with renumbering, 
there will be non-zero incentive to deploy technologies such as NATv6 to reduce 
that cost.  Some folks have made the argument that for sites large enough for 
the cost of renumbering to be significant, they should be able to justify 
provider independent space and be willing to accept the administrative and 
financial cost. While this may be the case (I have some doubts that many of the 
folks using PA space now will be all that interested in dealing with the RIR 
system, but I may be biased), it does raise concerns about routing system 
growth and forces ISPs to be willing to accept long IPv6 prefixes from end 
users (which some ISPs have already said they won't do).
  
Put your recursors, network management systems, fileservers, etc on ULA 
addresses like I was talking about earlier. Then you don't have to 
renumber those.


So the only change you should have to make is a firewall change.

Imagine a world with RFC-1918 and public ip space safely overlayed. For 
anything you hardcode somewhere, unless it has to be publically 
reachable, use ULA addresses and don't ever change them.


You could even choose to not have public IP space on your servers by 
removing autoconf, though you could have public space on them so they 
can apply updates, and simply block any inbound access to those 
statefully with a firewall to prevent any outside risk.


-Paul

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[David Conrad]

Owen,

On Apr 30, 2010, at 7:04 PM, Owen DeLong wrote:
 Ideally, in the vast majority of cases, resolv.conf is populated by dhcpv6 or 
 it's successor.

:-).  I haven't been following the religious war against DHCPv6 -- is it now 
acceptable to get DNS information via DHCPv6? I note that MacOSX still doesn't 
appear to support DHCPv6. Does Win7?

 IPv6 also has the convenient concept of preferred and valid lifetimes on 
 addresses facilitating a convenient overlap period while both prefixes still 
 work, but, new flows should be universally originated from the specified 
 prefix. 


I'm aware of this.  It would be interesting to see how many applications 
actually take advantage of this (rant about the socket API model deleted).

 There is a non-zero cost associated with renumbering.  However, it is much 
 closer to zero than in IPv4.

I agree that it can or at least has the promise to be.

 There is also a non-zero cost to NAT.

Yes.

 Unfortunately, the costs of NAT are more on the toxic polluter basis, where 
 you must pay your own tab for renumbering. 


End users must pay the cost of renumbering in both cases.  With NAT, 
renumbering is done on the NAT box.  Without NAT, renumbering must be done 
within the entire network.  NAT can have an additional initial capital cost 
(although most CPE support NATv4 at no additional cost) and can have a 
potentially non-obvious additional opex cost associated with debugging network 
problems, application support, etc.  

In the end, it would be nice if it was a simple business decision.  In reality, 
I suspect most folks getting IPv6 prefixes from their ISP will follow the same 
model they use with IPv4 because that's what they know and it works for them.  
Hopefully, we'll see.

Regards,
-drc

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[Mark Smith]

On Thu, 29 Apr 2010 10:33:02 +1000
Mark Andrews ma...@isc.org wrote:

 
 In message a3f2ff6f-afe3-4ed1-ad33-5b6277249...@virtualized.org, David 
 Conrad
  writes:
  Mark,
  
  On Apr 28, 2010, at 3:07 PM, Mark Andrews wrote:
   Perhaps the ability to change service providers without having to =
  renumber?
  =20
   We have that ability already.  Doesn't require NAT.
  
  Cool!  You've figured out, e.g., how to renumber authoritative name =
  servers that you don't have direct control over!
 
 Don't do that.  It was a deliberate design decision to use names
 rather than IP addesses in NS records.  This allows the operators
 of the nameservers to change their addresses when they need to.
 
 B.T.W. we have the technology to automatically update delegations
 if we need to and have for the last 10 years.  People just need to
 stop being scared about doing it.
 
  And modify filter =
  lists on a firewalls across an enterprise network!  And remotely update =
  provisioning systems and license managers without interrupting services! =
   Etc., etc.
  
  http://www.rfc-editor.org/internet-drafts/draft-carpenter-renum-needs-work=
  -05.txt
  
  A tiny home office network managed by a highly technical individual with =
  full control over all aspects of the network is not a good model on =
  which to base the definition of we.
  
  Regards,
  -drc
 
 Well if you insist on using IP addresses rather than real crypto for access
 control.
 

I suppose it'll protect us when Skynet emerges.

I think the current security threat is the people behind the
machines, not the machines themselves and their IP addresses.

Regards,
Mark.

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[Mark Smith]

On Wed, 28 Apr 2010 17:04:25 -0500
Dave Pooser dave.na...@alfordmedia.com wrote:

  IPv6's fundamental goal is to restore end-to-end.
 
 For some. For many, IPv6's fundamental goal is to keep doing what we've been
 doing without running out of addresses. The fact that the two camps have
 orthogonal goals is probably part of the reason the rate of growth on IPv6
 is so slow.

Well they should realise that end-to-end is what made the Internet the
success in the first place. On the Original Internet, when you had an
IP address, one moment you could be a client, another you could be a
server, or another you could be a peer - or you could be any or all
three roles at the same time. What role you wanted to play was
completely and absolutely up to you - no third parties to ask
permission of, no router upgrades involved. You just started the
(client/server/peer-to-peer) software, and off you went.

The applications exist at the edge of the Internet - in the software
operating on the end-nodes. The Internet itself is supposed to
be a dumb, best effort packet transport between the edges - nothing
more. That is why the Original Internet was good at running any
application you threw at it, including new ones - because it never
cared what those applications were. It just tried to do it's job of
getting packets from edge sources to edge destinations, regardless of
what was in them.

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[Bill Stewart]

On Tue, Apr 27, 2010 at 3:24 PM, Owen DeLong o...@delong.com wrote:
 Here's an exercise.  Wipe a PC.  Put it on that cable modem with no 
 firewall.  Install XP on it.  See if you can get any service packs installed 
 before the box is infected.
 1.      Yes, I can.  I simply didn't put an IPv4 address on it. ;-)
 2.      I wouldn't hold XP up as the gold standard of hosts here.

One of my coworkers was IPv6ing his home network.  He had to turn off
the Windows firewall on the machine with the IPv6 tunnel for a couple
of minutes to install some stubborn software.  Then he had to reimage
the box because it was pwned, and he's pretty sure that the infection
came in over the IPv6 tunnel, not the hardware-firewalled IPv4.

-- 

 Thanks; Bill

Note that this isn't my regular email account - It's still experimental so far.
And Google probably logs and indexes everything you send it.

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[Paul Timmins]

David Conrad wrote:

On Apr 28, 2010, at 2:38 PM, Carl Rosevear wrote:
  
I don't understand why anyone thinks NAT should be a fundamental part of the v6 internet 



Perhaps the ability to change service providers without having to renumber?
Number your internal network on ULA, and put public addresses on your 
machines as well.


RFC3484 support in your OS will cause your machine to use ULA to talk to 
other ULA interfaces, and the public IP to the rest of the internet.


If you change ISPs, send out an RA with the new addresses, wait a bit, 
then send out an RA with lifetime 0 on the old address. All the machines 
should drop their old ISP's IP, and start using the new ISP, as well as 
continue using ULA like nothing's changed for the internal file 
sharing/printing/whatever

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[Steve Bertrand]

On 2010.04.28 00:04, Josh Hoppes wrote:
 I'll preface this that I'm more of an end user then a network
 administrator, but I do feel I have a good enough understanding of the
 protocols and
 network administration to submit my two cents.

You are always welcome to do so.

 The issue I see with this level of NAT, is the fact that I don't
 expect that UPNP be implemented at that level.
 I would see UPNP as being a security risk and prone to denial of
 service attacks when you have torrent clients attempting to grab every
 available port.
 
 Now that's going to create problems with services like Xbox Live which
 require UPNP to fully function since at least on one persons
 connection
 so they can host the game.

Josh, fwiw,

Not trying to hijack this thread, but please go put this over on the
ARIN-discuss list. You can subscribe here:

http://lists.arin.net/mailman/listinfo/arin-discuss

Gaming vendors is a major outreach consideration from what I gathered
from around the ARIN meeting, and it would be fantastic if you could
take that discussion over there for them (and others) to see...

Steve

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[gordon b slater]

On Wed, 2010-04-28 at 02:13 -0400, Steve Bertrand wrote:
  I would see UPNP as being a security risk and prone to denial of
  service attacks when you have torrent clients attempting to grab
 every

+1
apologies if I've said this here before - UPNP = unstoppable Peek and
Poke

Gord

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[Mark Smith]

On Tue, 27 Apr 2010 14:29:50 -0400
Dave Israel da...@otd.com wrote:

 On 4/27/2010 1:36 PM, Andy Davidson wrote:
  On Tue, Apr 20, 2010 at 11:29:59AM -0400, John R. Levine wrote:

  Did you use Yahoo IM, AIM, or Skype?

  Yes, yes, and yes.  Works fine.
  
  What about every other service/protocol that users use today, 
  and might be invented tomorrow ?  Do  will they all work with 
  NAT ?

 
 Sure, I can invent a service/protocol that doesn't work with NAT.  While
 I am at it, I'll make it not work with IPv4, IPv6, Ethernet, an
 architectures using less than 256 bits of memory addressing.  I bet
 it'll be popular!
 
 

One already exists. It's called DCCP, or Datagram Congestion Control
Protocol - it's like UDP with congestion management. It'd be great to
use for Video and Voip, which could then vary the codec parameters to
suit congestion should it occur. Shame NAT has stopped it being widely
deployed.

SCTP could be used to perform peer to peer IM and file transfers, where
the file transfer takes place within the existing SCTP connection,
rather than having to establish a separate connection. Shame NAT has
stopped it being widely deployed.

  Do many others work as well or act reliably through NAT ?

 
 Yes, nearly everything that end users use works great through NAT,
 because end users are often behind NAT and for a service to be popular,
 it has to be NAT-friendly.  Protocols that are not NAT friendly and yet
 survive are generally LAN applications that are resting on their
 NAT-unferiendliness and calling it security.
 
  Will it stop or hamper the innovation of new services on the
  internet ?

 
 Nope.
 
  The answer to these questions isn't a good one for users, so
  as the community that are best placed to defend service quality
  and innovation by preserving the end to end principal, it is 
  our responsibility to defend it to the best of our ability.

 
 The end to end principle only helps service quality and innovation when
 the services are built on an end to end model.  In a client-server world
 where addresses only identify groups of endpoints and individual
 identification is done at higher layers (which is what the ipv4+NAT
 Internet is looking like), end to endness is an anomaly, not the norm.
 
  So get busy - v6 awareness, availability and abundancy are
  overdue for our end users.

 
 Nearly all of the end users don't give a rat's hindquarters about ipv6. 
 It gives them nothing they know that they want.  Meanwhile, those who do
 know they want it are getting used to working around it, using PAT
 tricks and STUN services.  Should people *have* to use those services? 
 No.  But there's so many other things that we shouldn't have to do, but
 we do anyway because that's how it works, that these NAT-circumvention
 tricks are not a dealbreaker.
 
 Meanwhile, the NATification of the Internet continuously increases the
 contrast between services (with real addresses) and clients (with shared
 addresses).  Over time, this differentiation will increase and become
 more and more a standard (a de facto one if not an actual codified
 one.)  Clients will have shared, ephemeral addresses, and services will
 have stable ones.  This helps ensure that clients cannot generally
 communicate without a facilitating service, and every transaction will
 then have a middleman, somebody you have to pay somehow to get your
 services.  You may pay in cash, by watching commercials, by sacrificing
 personal information, or by submitting your communciations to analysis
 by others, but somehow, you will pay.  The vast majority of users won't
 care; they communicate that way now, and it does not bother them much. 
 It's only those few who want to communicate without paying, in time,
 money, or privacy, or to communicate in ways other than the standard
 protocols, who will really suffer.  And their complaints will have to
 fight against the voice of those who will say, well, if you make it end
 to end, then businesses lose money, and people will be able to share
 files again and violate copyrights, and all these things will cost jobs
 and tax dollars, etc, etc.
 
 If you want to avoid that future, I strongly suggest you deploy ipv6 and
 pressure others to do the same.  But you're going to need to use valid
 arguments, about privacy and protection from the deprecations of
 unscrupulous middlemen, instead of insisting that the Internet will
 break down and die and locusts will descend from the heavens and eat our
 first born if we don't.
 
 -Dave
 
 

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[Matthew Kaufman]

Mark Smith wrote:

On Tue, 27 Apr 2010 14:29:50 -0400
Dave Israel da...@otd.com wrote:

  

On 4/27/2010 1:36 PM, Andy Davidson wrote:


On Tue, Apr 20, 2010 at 11:29:59AM -0400, John R. Levine wrote:
  
  

Did you use Yahoo IM, AIM, or Skype?
  
  

Yes, yes, and yes.  Works fine.


What about every other service/protocol that users use today, 
and might be invented tomorrow ?  Do  will they all work with 
NAT ?
  
  

Sure, I can invent a service/protocol that doesn't work with NAT.  While
I am at it, I'll make it not work with IPv4, IPv6, Ethernet, an
architectures using less than 256 bits of memory addressing.  I bet
it'll be popular!





One already exists. It's called DCCP, or Datagram Congestion Control
Protocol - it's like UDP with congestion management. It'd be great to
use for Video and Voip, which could then vary the codec parameters to
suit congestion should it occur. Shame NAT has stopped it being widely
deployed.

SCTP could be used to perform peer to peer IM and file transfers, where
the file transfer takes place within the existing SCTP connection,
rather than having to establish a separate connection. Shame NAT has
stopped it being widely deployed.
  
Mark, I think you made Dave's point perfectly. Sure, history will be 
littered with protocols developed after NAT was widespread but whose 
designers willfully ignored reality (often committees filled with a 
bunch of people who wanted to acknowledge reality and a few strong 
voices who want to pretend there's a world without NAT both now and in 
the IPv6 future). Many of these won't see wide deployment as a result.


You can add SIP and SDP to the list, as those were designed with an 
FTP-like belief that you can know your local address and send it around 
in the payload and expect the right thing to happen. (FTP at least had 
the excuse that it predated NAT deployment)... though SIP, for some 
inexplicable reason, has survived to make it to wide deployment anyway.


Or you can run things like DCCP and SCTP encapsulated in UDP (works just 
fine), or design a new protocol that combines the best of DCCP and SCTP 
and DTLS and mix in some IP mobility and other features and deploy it to 
almost every Internet host (what I did... the protocol is RTMFP and it 
is in every copy of Flash Player since version 10.0), or design a new 
protocol for your application which does what DCCP and DTLS do only for 
your own widely deployed application (as the Skype folks did). All of 
these are excellent approaches for having something which *actually 
works*, though impefectly as the backlash against NATs in groups such as 
the IETF has lead to a big lack of standards around how they should work.


Either applications learn to deal with NAT, in which case they thrive on 
both the heavily-NATed still-mostly-IPv4 Internet of the future *or* the 
has-NAT mostly-IPv6 Internet of the future (a great way to hedge your 
bets if you're writing protocols and applications)... or they don't 
learn to deal with NAT, in which case they don't work on todays IPv4 
Internet *and* they won't work on the heavily-NATed still-mostly-IPv4 
Internet of one possible future *or* the has-NAT mostly-IPv6 Internet of 
the future. Those won't be nearly as popular.


And in case you don't have handy a short list of why the IPv6 Internet 
will be filled with NAT, I'll give you three items to start with:


1. SOX, HIPPA, and other audit checklist compliance currently requires 
NAT for (theoretical) fail-closed and topology hiding. If IPv6 NAT 
exists, this requirement may not go away.
2. There will be a requirement for client hosts which have IPv6 SLAAC 
implementations that expose their MAC address in the low address bits to 
have those bits hidden from the outside Internet.
3. Organizations not large enough to qualify for (or who don't wish to 
bother with) PI space will deploy NAT so as to avoid internal 
renumbering of things which must have static addresses (Intranet 
servers, DNS resolvers, etc.). This is because the IPv6 future where 
every LAN is carrying multiple PA addresses to every host wasn't 
sufficiently well designed for it to actually work for either the 
multihoming case or the interior-network/outside-Internet case.


The good news is that it might be sufficient to do pure NAT and not 
NAPT, and it might be possible still to get some good standards around 
how these devices should behave... both of which aren't happening for 
the IPv4 Internet, unfortunately.


Matthew Kaufman

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[Mark Smith]

On Wed, 28 Apr 2010 08:44:41 -0700
Matthew Kaufman matt...@matthew.at wrote:

 Mark Smith wrote:
  On Tue, 27 Apr 2010 14:29:50 -0400
  Dave Israel da...@otd.com wrote:
 

  On 4/27/2010 1:36 PM, Andy Davidson wrote:
  
  On Tue, Apr 20, 2010 at 11:29:59AM -0400, John R. Levine wrote:


  Did you use Yahoo IM, AIM, or Skype?


  Yes, yes, and yes.  Works fine.
  
  
  What about every other service/protocol that users use today, 
  and might be invented tomorrow ?  Do  will they all work with 
  NAT ?


  Sure, I can invent a service/protocol that doesn't work with NAT.  While
  I am at it, I'll make it not work with IPv4, IPv6, Ethernet, an
  architectures using less than 256 bits of memory addressing.  I bet
  it'll be popular!
 
 
  
 
  One already exists. It's called DCCP, or Datagram Congestion Control
  Protocol - it's like UDP with congestion management. It'd be great to
  use for Video and Voip, which could then vary the codec parameters to
  suit congestion should it occur. Shame NAT has stopped it being widely
  deployed.
 
  SCTP could be used to perform peer to peer IM and file transfers, where
  the file transfer takes place within the existing SCTP connection,
  rather than having to establish a separate connection. Shame NAT has
  stopped it being widely deployed.

 Mark, I think you made Dave's point perfectly. Sure, history will be 
 littered with protocols developed after NAT was widespread but whose 
 designers willfully ignored reality (often committees filled with a 
 bunch of people who wanted to acknowledge reality and a few strong 
 voices who want to pretend there's a world without NAT both now and in 
 the IPv6 future). Many of these won't see wide deployment as a result.
 

I'm not people are understanding or know the true reality. NAT broke the
Internet's architecture, by turning IP from being a peer-to-peer
protocol into a master/slave one (think mainframes and dumb terminals).
Read RFC1958 if you don't understand what that means, specifically the
'end-to-end' principle part. IPv6's fundamental goal is to restore
end-to-end.


 You can add SIP and SDP to the list, as those were designed with an 
 FTP-like belief that you can know your local address and send it around 
 in the payload and expect the right thing to happen. (FTP at least had 
 the excuse that it predated NAT deployment)... though SIP, for some 
 inexplicable reason, has survived to make it to wide deployment anyway.
 
 Or you can run things like DCCP and SCTP encapsulated in UDP (works just 
 fine), or design a new protocol that combines the best of DCCP and SCTP 
 and DTLS and mix in some IP mobility and other features and deploy it to 
 almost every Internet host (what I did... the protocol is RTMFP and it 
 is in every copy of Flash Player since version 10.0), or design a new 
 protocol for your application which does what DCCP and DTLS do only for 
 your own widely deployed application (as the Skype folks did). All of 
 these are excellent approaches for having something which *actually 
 works*, though impefectly as the backlash against NATs in groups such as 
 the IETF has lead to a big lack of standards around how they should work.
 
 Either applications learn to deal with NAT, in which case they thrive on 
 both the heavily-NATed still-mostly-IPv4 Internet of the future *or* the 
 has-NAT mostly-IPv6 Internet of the future (a great way to hedge your 
 bets if you're writing protocols and applications)... or they don't 
 learn to deal with NAT, in which case they don't work on todays IPv4 
 Internet *and* they won't work on the heavily-NATed still-mostly-IPv4 
 Internet of one possible future *or* the has-NAT mostly-IPv6 Internet of 
 the future. Those won't be nearly as popular.
 
 And in case you don't have handy a short list of why the IPv6 Internet 
 will be filled with NAT, I'll give you three items to start with:
 
 1. SOX, HIPPA, and other audit checklist compliance currently requires 
 NAT for (theoretical) fail-closed and topology hiding. If IPv6 NAT 
 exists, this requirement may not go away.
 2. There will be a requirement for client hosts which have IPv6 SLAAC 
 implementations that expose their MAC address in the low address bits to 
 have those bits hidden from the outside Internet.
 3. Organizations not large enough to qualify for (or who don't wish to 
 bother with) PI space will deploy NAT so as to avoid internal 
 renumbering of things which must have static addresses (Intranet 
 servers, DNS resolvers, etc.). This is because the IPv6 future where 
 every LAN is carrying multiple PA addresses to every host wasn't 
 sufficiently well designed for it to actually work for either the 
 multihoming case or the interior-network/outside-Internet case.
 
 The good news is that it might be sufficient to do pure NAT and not 
 NAPT, and it might be possible still to get some good standards around 
 how these devices should 

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[Carl Rosevear]

I'm not normally one to respond to NANOG messages with opinions but...

Yeah, NAT broke the internet.  Yes you can engineer around it.  There is NO 
reason to hold onto NAT as a standard. With v6 we have the opportunity to do it 
right (or at least semi-right) from the beginning, lets not choose to break it 
all from the beginning.   

Don't worry, if you understand basic routing these concepts shouldn't be hard 
for you.

And don't worry, there is still plenty of market for residential firewalls 
and all but yeah maybe they'll actually have to be a firewall/router as opposed 
to just a NAT box.

So there is my opinion; I don't understand why anyone thinks NAT should be a 
fundamental part of the v6 internet even after reading almost every message in 
this thread.  It is just a stop-gap v4 measure and yeah, before people 
understood real security it was a security thing.  Lets just move ahead with 
the good stuff!  There'll be plenty of legacy/nostalgia around for years for 
those who still want to work with it.


Just an opinion,


Carl

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[David Conrad]

On Apr 28, 2010, at 2:38 PM, Carl Rosevear wrote:
 I don't understand why anyone thinks NAT should be a fundamental part of the 
 v6 internet 

Perhaps the ability to change service providers without having to renumber?

Regards,
-drc

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[Felipe Zanchet Grazziotin]

On Wed, Apr 28, 2010 at 6:54 PM, David Conrad d...@virtualized.org wrote:

 On Apr 28, 2010, at 2:38 PM, Carl Rosevear wrote:
  I don't understand why anyone thinks NAT should be a fundamental part of
 the v6 internet

 Perhaps the ability to change service providers without having to renumber?


Couldn't we use link scope (or other local) addresses to local networks, and
have gateways that do 1:1 translation between those addresses and PA space ?
Call it NATv6, whatever.

Nobody is going to remember addresses by hand, name servers (DNS or local
scope as avahi) will be the rule. And DHCPv6 (or router advertisement) is
how you provide your hosts access.

Maybe internal servers, such as smbfs or NFS, could be only at link scope
addresses? No need to renumerate, and full protection from outsiders.



 Regards,
 -drc



Seriously,
Felipe

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[Dave Pooser]

 IPv6's fundamental goal is to restore end-to-end.

For some. For many, IPv6's fundamental goal is to keep doing what we've been
doing without running out of addresses. The fact that the two camps have
orthogonal goals is probably part of the reason the rate of growth on IPv6
is so slow.
-- 
Dave Pooser, ACSA
Manager of Information Services
Alford Media  http://www.alfordmedia.com

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[William Pitcock]

On Wed, 2010-04-28 at 14:54 -0700, David Conrad wrote:
 On Apr 28, 2010, at 2:38 PM, Carl Rosevear wrote:
  I don't understand why anyone thinks NAT should be a fundamental part of 
  the v6 internet 
 
 Perhaps the ability to change service providers without having to renumber?

DHCPv6 solves that issue if implemented correctly in the CPE
firewall/router appliance.

William

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[Mark Andrews]

In message 01f57362-8092-48cb-8336-15b9cc171...@virtualized.org, David Conrad
 writes:
 On Apr 28, 2010, at 2:38 PM, Carl Rosevear wrote:
  I don't understand why anyone thinks NAT should be a fundamental part =
 of the v6 internet=20
 
 Perhaps the ability to change service providers without having to =
 renumber?

We have that ability already.  Doesn't require NAT.

 Regards,
 -drc
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[David Barak]

--- On Wed, 4/28/10, Mark Smith 
na...@85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org wrote:
 
 I'm not people are understanding or know the true reality.
 NAT broke the
 Internet's architecture, by turning IP from being a
 peer-to-peer
 protocol into a master/slave one (think mainframes and dumb
 terminals).
 Read RFC1958 if you don't understand what that means,
 specifically the
 'end-to-end' principle part. IPv6's fundamental goal is to
 restore
 end-to-end.

And this, in a few short sentences, is why IPv6 adoption has been so incredibly 
slow and frustrating.  For some of us, IPv6's primary benefit is solving the 
32 bits aren't enough problem.  For others, the commercial Internet 
architecture which evolved is aesthetically offensive, and they see IPv6 as the 
corrective mechanism.  

Only one of those two has any sort of time constraint (read: necessity), and it 
isn't the latter.  The end-to-end principle is grand, I agree - but there are 
lots of commercial considerations which I find have a higher priority for my 
customers.

David Barak
Need Geek Rock?  Try The Franchise: 
http://www.listentothefranchise.com





  

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[David Conrad]

Mark,

On Apr 28, 2010, at 3:07 PM, Mark Andrews wrote:
 Perhaps the ability to change service providers without having to renumber?
 
 We have that ability already.  Doesn't require NAT.

Cool!  You've figured out, e.g., how to renumber authoritative name servers 
that you don't have direct control over!  And modify filter lists on a 
firewalls across an enterprise network!  And remotely update provisioning 
systems and license managers without interrupting services!  Etc., etc.

http://www.rfc-editor.org/internet-drafts/draft-carpenter-renum-needs-work-05.txt

A tiny home office network managed by a highly technical individual with full 
control over all aspects of the network is not a good model on which to base 
the definition of we.

Regards,
-drc

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[Mark Andrews]

In message a3f2ff6f-afe3-4ed1-ad33-5b6277249...@virtualized.org, David Conrad
 writes:
 Mark,
 
 On Apr 28, 2010, at 3:07 PM, Mark Andrews wrote:
  Perhaps the ability to change service providers without having to =
 renumber?
 =20
  We have that ability already.  Doesn't require NAT.
 
 Cool!  You've figured out, e.g., how to renumber authoritative name =
 servers that you don't have direct control over!

Don't do that.  It was a deliberate design decision to use names
rather than IP addesses in NS records.  This allows the operators
of the nameservers to change their addresses when they need to.

B.T.W. we have the technology to automatically update delegations
if we need to and have for the last 10 years.  People just need to
stop being scared about doing it.

 And modify filter =
 lists on a firewalls across an enterprise network!  And remotely update =
 provisioning systems and license managers without interrupting services! =
  Etc., etc.
 
 http://www.rfc-editor.org/internet-drafts/draft-carpenter-renum-needs-work=
 -05.txt
 
 A tiny home office network managed by a highly technical individual with =
 full control over all aspects of the network is not a good model on =
 which to base the definition of we.
 
 Regards,
 -drc

Well if you insist on using IP addresses rather than real crypto for access
control.

Mark

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[Valdis . Kletnieks]

On Wed, 28 Apr 2010 14:54:04 PDT, David Conrad said:
 On Apr 28, 2010, at 2:38 PM, Carl Rosevear wrote:
  I don't understand why anyone thinks NAT should be a fundamental part
  of the v6 internet
 
 Perhaps the ability to change service providers without having to renumber?

RFC4193 or PI address space, depending what problem you're trying to solve
by not renumbering.


pgpmmoiwHODy6.pgp
Description: PGP signature

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[Andy Davidson]

On Tue, Apr 20, 2010 at 11:29:59AM -0400, John R. Levine wrote:
 Did you use Yahoo IM, AIM, or Skype?
 Yes, yes, and yes.  Works fine.

What about every other service/protocol that users use today, 
and might be invented tomorrow ?  Do  will they all work with 
NAT ?

Do many others work as well or act reliably through NAT ?

Will it stop or hamper the innovation of new services on the
internet ?

The answer to these questions isn't a good one for users, so
as the community that are best placed to defend service quality
and innovation by preserving the end to end principal, it is 
our responsibility to defend it to the best of our ability.

So get busy - v6 awareness, availability and abundancy are
overdue for our end users.

Andy

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[Matthew Kaufman]

Andy Davidson wrote:

On Tue, Apr 20, 2010 at 11:29:59AM -0400, John R. Levine wrote:
  

Did you use Yahoo IM, AIM, or Skype?
  

Yes, yes, and yes.  Works fine.



What about every other service/protocol that users use today, 
and might be invented tomorrow ?  Do  will they all work with 
NAT ?
  


Anyone inventing a new service/protocol that doesn't work with NAT isn't 
planning on success.

Do many others work as well or act reliably through NAT ?
  

Yes.

Will it stop or hamper the innovation of new services on the
internet ?
  

Hasn't so far.

The answer to these questions isn't a good one for users, so
as the community that are best placed to defend service quality
and innovation by preserving the end to end principal, it is 
our responsibility to defend it to the best of our ability.
  
Firewalls will always break the end-to-end principle, whether or not 
addresses are identical between the inside and outside or not.

So get busy - v6 awareness, availability and abundancy are
overdue for our end users.
  

Maybe. Most of them are perfectly happy.

Matthew Kaufman

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[Nick Hilliard]

On 27/04/2010 18:48, Matthew Kaufman wrote:
 Anyone inventing a new service/protocol that doesn't work with NAT isn't
 planning on success.

You mean, like multisession bgp over tls?

Nick,
just sayin'

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[Valdis . Kletnieks]

On Tue, 27 Apr 2010 10:48:54 PDT, Matthew Kaufman said:

 Anyone inventing a new service/protocol that doesn't work with NAT isn't 
 planning on success.

Only true in the IPv4 world.  IPv6 will hopefully be different.

  The answer to these questions isn't a good one for users, so
  as the community that are best placed to defend service quality
  and innovation by preserving the end to end principal, it is 
  our responsibility to defend it to the best of our ability.

 Firewalls will always break the end-to-end principle, whether or not 
 addresses are identical between the inside and outside or not.

The difference is that if a protocol wants to be end-to-end, I can fix a
firewall to not break it.  You don't have that option with a NAT.

  So get busy - v6 awareness, availability and abundancy are
  overdue for our end users.

 Maybe. Most of them are perfectly happy.

Most of the US population was perfectly happy just before the recent
financial crisis hit.  Ignorance is bliss - but only for a little while.



pgp37Bg0L9uoK.pgp
Description: PGP signature

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[Dave Israel]

On 4/27/2010 1:36 PM, Andy Davidson wrote:
 On Tue, Apr 20, 2010 at 11:29:59AM -0400, John R. Levine wrote:
   
 Did you use Yahoo IM, AIM, or Skype?
   
 Yes, yes, and yes.  Works fine.
 
 What about every other service/protocol that users use today, 
 and might be invented tomorrow ?  Do  will they all work with 
 NAT ?
   

Sure, I can invent a service/protocol that doesn't work with NAT.  While
I am at it, I'll make it not work with IPv4, IPv6, Ethernet, an
architectures using less than 256 bits of memory addressing.  I bet
it'll be popular!


 Do many others work as well or act reliably through NAT ?
   

Yes, nearly everything that end users use works great through NAT,
because end users are often behind NAT and for a service to be popular,
it has to be NAT-friendly.  Protocols that are not NAT friendly and yet
survive are generally LAN applications that are resting on their
NAT-unferiendliness and calling it security.

 Will it stop or hamper the innovation of new services on the
 internet ?
   

Nope.

 The answer to these questions isn't a good one for users, so
 as the community that are best placed to defend service quality
 and innovation by preserving the end to end principal, it is 
 our responsibility to defend it to the best of our ability.
   

The end to end principle only helps service quality and innovation when
the services are built on an end to end model.  In a client-server world
where addresses only identify groups of endpoints and individual
identification is done at higher layers (which is what the ipv4+NAT
Internet is looking like), end to endness is an anomaly, not the norm.

 So get busy - v6 awareness, availability and abundancy are
 overdue for our end users.
   

Nearly all of the end users don't give a rat's hindquarters about ipv6. 
It gives them nothing they know that they want.  Meanwhile, those who do
know they want it are getting used to working around it, using PAT
tricks and STUN services.  Should people *have* to use those services? 
No.  But there's so many other things that we shouldn't have to do, but
we do anyway because that's how it works, that these NAT-circumvention
tricks are not a dealbreaker.

Meanwhile, the NATification of the Internet continuously increases the
contrast between services (with real addresses) and clients (with shared
addresses).  Over time, this differentiation will increase and become
more and more a standard (a de facto one if not an actual codified
one.)  Clients will have shared, ephemeral addresses, and services will
have stable ones.  This helps ensure that clients cannot generally
communicate without a facilitating service, and every transaction will
then have a middleman, somebody you have to pay somehow to get your
services.  You may pay in cash, by watching commercials, by sacrificing
personal information, or by submitting your communciations to analysis
by others, but somehow, you will pay.  The vast majority of users won't
care; they communicate that way now, and it does not bother them much. 
It's only those few who want to communicate without paying, in time,
money, or privacy, or to communicate in ways other than the standard
protocols, who will really suffer.  And their complaints will have to
fight against the voice of those who will say, well, if you make it end
to end, then businesses lose money, and people will be able to share
files again and violate copyrights, and all these things will cost jobs
and tax dollars, etc, etc.

If you want to avoid that future, I strongly suggest you deploy ipv6 and
pressure others to do the same.  But you're going to need to use valid
arguments, about privacy and protection from the deprecations of
unscrupulous middlemen, instead of insisting that the Internet will
break down and die and locusts will descend from the heavens and eat our
first born if we don't.

-Dave

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[Jon Lewis]

On Tue, 27 Apr 2010 valdis.kletni...@vt.edu wrote:


The difference is that if a protocol wants to be end-to-end, I can fix a
firewall to not break it.  You don't have that option with a NAT.


Maybe we want end-to-end to break.

Firewalls can trivially be misconfigured such that they're little more 
than routers, fully exposing all the hosts behind them to everything bad 
the internet has to offer (hackers, malware looking to spread itself, 
etc.).


At least with NAT, if someone really screws up the config, the inside 
stuff is all typically on non-publicly-routed IPs, so the worst likely to 
happen is they lose internet, but at least the internet can't directly 
reach them.


This has to be one of the bigger reasons people actually like using NAT.

--
 Jon Lewis   |  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[Owen DeLong]

On Apr 27, 2010, at 10:48 AM, Matthew Kaufman wrote:

 Andy Davidson wrote:
 On Tue, Apr 20, 2010 at 11:29:59AM -0400, John R. Levine wrote:
  
 Did you use Yahoo IM, AIM, or Skype?
  
 Yes, yes, and yes.  Works fine.

 
 What about every other service/protocol that users use today, and might be 
 invented tomorrow ?  Do  will they all work with NAT ?
  
 
 Anyone inventing a new service/protocol that doesn't work with NAT isn't 
 planning on success.

Respectfully, I disagree.  There are many possible innovations that are 
available in a NAT-less world and it is desirable to get to that point rather 
than hamper future innovation with this obsolete baggage.

 Do many others work as well or act reliably through NAT ?
  
 Yes.

In reality, it's more like some yes, some not so much.

 Will it stop or hamper the innovation of new services on the
 internet ?
  
 Hasn't so far.

Here I have to call BS... I know of a number of cases where it has.

 The answer to these questions isn't a good one for users, so
 as the community that are best placed to defend service quality
 and innovation by preserving the end to end principal, it is our 
 responsibility to defend it to the best of our ability.
  
 Firewalls will always break the end-to-end principle, whether or not 
 addresses are identical between the inside and outside or not.

Yes and no.  Firewalls will always break the idea of global universal 
end-to-end reachability.

The do not break the end-to-end principle except when NAT is involved.

The end-to-end principle is that the original layer 3+ information arrives at 
the layer 3 destination un-mangled by intermediate devices when it is a 
permitted type of traffic. Blocking unwanted flows does not break the 
end-to-end principle. Maiming and distorting data contained in the datagram, 
including the headers, on the other hand does break the end-to-end principle.

 So get busy - v6 awareness, availability and abundancy are
 overdue for our end users.
  
 Maybe. Most of them are perfectly happy.
 
This word Most, it does not mean what you appear to think it means.

Owen

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[Valdis . Kletnieks]

On Tue, 27 Apr 2010 14:37:08 EDT, Jon Lewis said:

 Maybe we want end-to-end to break.
 
 Firewalls can trivially be misconfigured such that they're little more 
 than routers, fully exposing all the hosts behind them to everything bad 
 the internet has to offer (hackers, malware looking to spread itself, 
 etc.).
 
 At least with NAT, if someone really screws up the config, the inside 
 stuff is all typically on non-publicly-routed IPs, so the worst likely to 
 happen is they lose internet, but at least the internet can't directly 
 reach them.

You *do* realize that the skill level needed to misconfigure a firewall
into that state, and the skill level needed to do the exact same thing to
a firewall-NAT box, are *both* less than the skill level needed to remember
to also deploy traffic monitors so you know you screwed up, and host-based
firewalls to guard against chuckleheads screwing up the border box?

In other words, if your security scheme relies on that supposed feature of NAT,
you have *other* things you need to be working on.


pgp92Zt0KYD5H.pgp
Description: PGP signature

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[Matthew Kaufman]

Owen DeLong wrote:

On Apr 27, 2010, at 10:48 AM, Matthew Kaufman wrote:

  

Andy Davidson wrote:


On Tue, Apr 20, 2010 at 11:29:59AM -0400, John R. Levine wrote:
 
  

Did you use Yahoo IM, AIM, or Skype?
 
  

Yes, yes, and yes.  Works fine.
   


What about every other service/protocol that users use today, and might be invented 
tomorrow ?  Do  will they all work with NAT ?
 
  

Anyone inventing a new service/protocol that doesn't work with NAT isn't 
planning on success.



Respectfully, I disagree.  There are many possible innovations that are 
available in a NAT-less world and it is desirable to get to that point rather 
than hamper future innovation with this obsolete baggage.
  
I would argue that every one of those innovations, if even passably 
useful, can also be implemented in a NAT-full world.
  

Do many others work as well or act reliably through NAT ?
 
  

Yes.



In reality, it's more like some yes, some not so much.
  
== Some designed to work properly in the face of NAT, some ignored 
reality at their peril.
  

Will it stop or hamper the innovation of new services on the
internet ?
 
  

Hasn't so far.



Here I have to call BS... I know of a number of cases where it has.
  
Ok, you called it... so where's the list of such services that haven't 
materialized as a result of NAT?


Matthew Kaufman

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[Jon Lewis]

On Tue, 27 Apr 2010 valdis.kletni...@vt.edu wrote:


At least with NAT, if someone really screws up the config, the inside
stuff is all typically on non-publicly-routed IPs, so the worst likely to
happen is they lose internet, but at least the internet can't directly
reach them.


You *do* realize that the skill level needed to misconfigure a firewall
into that state, and the skill level needed to do the exact same thing to
a firewall-NAT box, are *both* less than the skill level needed to remember
to also deploy traffic monitors so you know you screwed up, and host-based
firewalls to guard against chuckleheads screwing up the border box?


I think you forget where most networking is done.  Monitoring?  You mean 
something beyond walking down the hall to the network closet and seeing 
all the blinking lights are flashing really fast?


How about the typical home DSL/Cable modem user?  Do you think they even 
know what SNMP is?  Do you think they have host based firewalls on all 
their PCs?  Do you want mom and dad's PCs exposed on the internet, or 
neatly hidden behind a NAT device they don't even realize is built into 
their cable/DSL router?


--
 Jon Lewis   |  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[Owen DeLong]

On Apr 27, 2010, at 11:49 AM, Matthew Kaufman wrote:

 Owen DeLong wrote:
 On Apr 27, 2010, at 10:48 AM, Matthew Kaufman wrote:
 
  
 Andy Davidson wrote:

 On Tue, Apr 20, 2010 at 11:29:59AM -0400, John R. Levine wrote:
   
 Did you use Yahoo IM, AIM, or Skype?
   
 Yes, yes, and yes.  Works fine.
   
 What about every other service/protocol that users use today, and might be 
 invented tomorrow ?  Do  will they all work with NAT ?
   
 Anyone inventing a new service/protocol that doesn't work with NAT isn't 
 planning on success.

 
 Respectfully, I disagree.  There are many possible innovations that are 
 available in a NAT-less world and it is desirable to get to that point 
 rather than hamper future innovation with this obsolete baggage.
  
 I would argue that every one of those innovations, if even passably useful, 
 can also be implemented in a NAT-full world.

Perhaps, but, often at significant additional code, development time, QA 
resources and other costs.
Also, often at a degraded level requiring a non-NAT'd third-party broker to 
intermediate between any two NAT'd parties attempting to trade information.

  
 Do many others work as well or act reliably through NAT ?
   
 Yes.

 
 In reality, it's more like some yes, some not so much.
  
 == Some designed to work properly in the face of NAT, some ignored reality at 
 their peril.

We can agree to disagree about this. The reality is that there are cool things 
you can do with peer to peer networking that simply aren't possible in an 
enforced client-server model.
NAT enforces a client-server model and permanently and irrevocably relegates 
some administrative domains to the client role. This is an unfair disadvantage 
to the users within those domains when it is not by the choice of the 
administrator (and NAT in IPv4 so far, often is not).

  
 Will it stop or hamper the innovation of new services on the
 internet ?
   
 Hasn't so far.

 
 Here I have to call BS... I know of a number of cases where it has.
  
 Ok, you called it... so where's the list of such services that haven't 
 materialized as a result of NAT?
 
Haven't materialized, for one, is an attempt to redefine the question.  Note 
that the original question included hamper.  I would argue that the cost of 
maintaining a NAT compatibility lab and the QA staff to use it is a sufficient 
burden to call it hamper.

For the ones that did not materialize, however, I am at an unfortunate 
disadvantage in the argument.  I can tell you that I know of at least 5 such 
cases.  However, I cannot reveal the details because I am under NDA to the 
companies that were developing these products. I can tell you that in 3 of the 
5 cases, adapting them to cope with a NAT world would have required the company 
to run an external service in perpetuity (or at least so long as the 
application would function, no server, no function) in order to do the 
match-making between clients that could not directly reach each-other.

I guess a good analogy is this:

In a NAT world, you have only matchmaking services and all of your ability to 
meet potential mates is strictly controlled through these matchmaking services. 
There are many services available independent of each other, and, each has its 
own limitations, biases, and quirks. However, you cannot meet potential mates 
without involving at least one matchmaker.

In a NAT-Free world, you have the ability to use a matchmaking service if you 
like, but, you also have the ability to meet potential mates at bars, in the 
grocery store, on the street, in restaurants, through chance meetings, 
introductions by a friend, or even at work.

It is possible that if you never knew it was possible to meet potential mates 
in all of these other ways, you would happily deal with a vast number of 
matchmaking services hoping to find a useful result. On the other hand, if you 
were to ask the average person who has experienced the latter scenario if they 
would be willing to limit their choices to only using a dating service, my 
guess would be that most people would reject the idea outright.

Owen

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[Valdis . Kletnieks]

On Tue, 27 Apr 2010 14:54:07 EDT, Jon Lewis said:

 I think you forget where most networking is done.  Monitoring?  You mean 
 something beyond walking down the hall to the network closet and seeing 
 all the blinking lights are flashing really fast?

That site will manage to chucklehead their config whether or not it's NAT'ed.

 How about the typical home DSL/Cable modem user?

And they won't manage to chucklehead their config, even if it's not NAT'ed.
 
  Do you think they even 
 know what SNMP is?  Do you think they have host based firewalls on all 
 their PCs?

Hmm... Linux has a firewall.  MacOS has a firewall. Windows XP SP2 or later
has a perfectly functional firewall out of the box, and earlier Windows had
a firewall but it didn't do 'default deny inbound' out of the box.

Those people with XBoxes and Playstations and so on can take it up with their
vendors - they were certainly *marketed* as plug it in and network, and at
least my PS/2 and PS/3 didn't come with a Warning: Do Not Use Without a NAT
sticker on them.

So who doesn't have a host-based firewall in 2010? The idea is old enough
that it's *really* time to play name-and-blame.

 Do you want mom and dad's PCs exposed on the internet, or 
 neatly hidden behind a NAT device they don't even realize is built into 
 their cable/DSL router?

Be careful here - I know that at least in my neck of Comcast cable, you can go
to Best Buy, get a cablemodem, plug the cable in one side, plug an ethernet and
one machine in the other side, and be handed a live on-the-network DHCP address
that works just fine except for outbound port 25 being blocked.  For the past
month or so, my laptop has gotten 71.63.92.124 every night when I get home,
which certainly doesn't look very NAT'ed.

Are you *really* trying to suggest that a PC is not fit-for-purpose
for that usage, and *requires* a NAT and other hand-holding?

And for the record - I don't worry about my mother's PC being exposed on the
Internet, because she's running Vista, which has a sane firewall by default.
What *does* worry me is that she's discovered Facebook, and anything she clicks
on there will not have the *slightest* bit of trouble whomping her machine
through a NAT.

Let's be realistic - what was the last time we had a *real* threat that a
NAT would have stopped but the XP SP2 firewall would not have stopped? And
how many current threats do we have that are totally NAT-agnostic?



pgpgrdKEWuLRD.pgp
Description: PGP signature

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[Jon Lewis]

On Tue, 27 Apr 2010 valdis.kletni...@vt.edu wrote:


That site will manage to chucklehead their config whether or not it's NAT'ed.


True...but when they do it and all their important stuff is in 
192.168.0/24, you still can't reach it...and if they break NAT, at least 
their internet breaks.  i.e. they'll know its broken.  When they change 
the default policy on the firewall to Accept/Allow all, everything will 
still work...until all their machines are infected with enough stuff to 
break them.



Hmm... Linux has a firewall.  MacOS has a firewall. Windows XP SP2 or later
has a perfectly functional firewall out of the box, and earlier Windows had
a firewall but it didn't do 'default deny inbound' out of the box.


Linux can have a firewall.  Not all distros default to having any rules. 
XP can (if you want to call it that).  I don't have any experience with 
MacOS.  Both my kids run Win2k (to support old software that doesn't run 
well/at all post-2k).  I doubt that's all that unusual.



Are you *really* trying to suggest that a PC is not fit-for-purpose
for that usage, and *requires* a NAT and other hand-holding?


Here's an exercise.  Wipe a PC.  Put it on that cable modem with no 
firewall.  Install XP on it.  See if you can get any service packs 
installed before the box is infected.


--
 Jon Lewis   |  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[Owen DeLong]

On Apr 27, 2010, at 2:25 PM, Jon Lewis wrote:

 On Tue, 27 Apr 2010 valdis.kletni...@vt.edu wrote:
 
 That site will manage to chucklehead their config whether or not it's NAT'ed.
 
 True...but when they do it and all their important stuff is in 192.168.0/24, 
 you still can't reach it...and if they break NAT, at least their internet 
 breaks.  i.e. they'll know its broken.  When they change the default policy 
 on the firewall to Accept/Allow all, everything will still work...until all 
 their machines are infected with enough stuff to break them.
 
Nah... They'll chucklehead forward something to 135-139/TCP on the box with all 
the important stuff just fine.
NAT won't save them from this.

 Hmm... Linux has a firewall.  MacOS has a firewall. Windows XP SP2 or later
 has a perfectly functional firewall out of the box, and earlier Windows had
 a firewall but it didn't do 'default deny inbound' out of the box.
 
 Linux can have a firewall.  Not all distros default to having any rules. XP 
 can (if you want to call it that).  I don't have any experience with MacOS.  
 Both my kids run Win2k (to support old software that doesn't run well/at all 
 post-2k).  I doubt that's all that unusual.
 
And the rest of the world should pay for your kid's legacy requirements why?

 Are you *really* trying to suggest that a PC is not fit-for-purpose
 for that usage, and *requires* a NAT and other hand-holding?
 
 Here's an exercise.  Wipe a PC.  Put it on that cable modem with no firewall. 
  Install XP on it.  See if you can get any service packs installed before the 
 box is infected.
 
1.  Yes, I can.  I simply didn't put an IPv4 address on it. ;-)
2.  I wouldn't hold XP up as the gold standard of hosts here.

Owen

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[James Hess]

On Tue, Apr 27, 2010 at 4:25 PM, Jon Lewis jle...@lewis.org wrote:
 breaks.  i.e. they'll know its broken.  When they change the default policy
 on the firewall to Accept/Allow all, everything will still work...until all
 their machines are infected with enough stuff to break them.

The same is true with IPv4 + NAT, in terms of real-world net security.
  Because security attacks against end-user equipment commonly come
from either an e-mail message the user is expected to errantly click
on,  or a malicious website, designed to exploit the latest
$MsOffice_Acrobat_Javascript_OR_Flash_Vuln_DU_Jour.

If user accidentally turns off their  outbound filtering software,
even the IPv4 user behind a NAT setup still have a pretty bad security
posture.


Fortunately, the IPv6  address space is so large and sparse, that
scanning it would be quite a feat,  even if a random outside attacker
already knew   for a fact  that a certain /64  probably contains a
vulnerable host.  Scanning IPv6 addresses by brute force,  is as
computationally  hard as  figuring out the  16-bit port number  pairs
of an IPv4   NAT user's   open connection,  in order to  fool their
NAT device and  partially hijack the user's  HTTP connection and
inject malicious code into their stream.

By the way,  if an attacker actually can figure out  the port number
pairs of a session recognized by the NAT device, the illusion of
security offered by the NAT setup potentially starts to crumble
  either way it's 32-bits to be guessed within a fairly limited
timeframe.

--
-J

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[Mark Andrews]

In message pine.lnx.4.61.1004271718210.5...@soloth.lewis.org, Jon Lewis 
writes:
 Both my kids run Win2k (to support old software that doesn't run 
 well/at all post-2k).  I doubt that's all that unusual.

Then they won't have IPv6 and hence are irrelevent to the discussion
about IPv6 NAT.
 
As for built in firewalls, even my brother printer as a firewall
built into it and it supports IPv6.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[Matthew Kaufman]

Owen DeLong wrote:

On Apr 27, 2010, at 11:49 AM, Matthew Kaufman wrote:

  

Owen DeLong wrote:


On Apr 27, 2010, at 10:48 AM, Matthew Kaufman wrote:

 
  

Andy Davidson wrote:
   


On Tue, Apr 20, 2010 at 11:29:59AM -0400, John R. Levine wrote:
  
  

Did you use Yahoo IM, AIM, or Skype?
  
  

Yes, yes, and yes.  Works fine.
  


What about every other service/protocol that users use today, and might be invented 
tomorrow ?  Do  will they all work with NAT ?
  
  

Anyone inventing a new service/protocol that doesn't work with NAT isn't 
planning on success.
   


Respectfully, I disagree.  There are many possible innovations that are 
available in a NAT-less world and it is desirable to get to that point rather 
than hamper future innovation with this obsolete baggage.
 
  

I would argue that every one of those innovations, if even passably useful, can 
also be implemented in a NAT-full world.



Perhaps, but, often at significant additional code, development time, QA 
resources and other costs.
Also, often at a degraded level requiring a non-NAT'd third-party broker to 
intermediate between any two NAT'd parties attempting to trade information.
  
Yes, there's additional development, but if NAT was more standardized 
(which it has a chance of being for IPv6, if we'd just stop arguing 
about whether or not it is going to happen... it'll happen, the question 
is whether or not there'll be a standard to follow) that development 
cost could be nearly a one-time library cost vs. custom code to deal 
with every situation and changing situations.
  
 
  

Do many others work as well or act reliably through NAT ?
  
  

Yes.
   


In reality, it's more like some yes, some not so much.
 
  

== Some designed to work properly in the face of NAT, some ignored reality at 
their peril.



We can agree to disagree about this. The reality is that there are cool things 
you can do with peer to peer networking that simply aren't possible in an 
enforced client-server model.
  

Agreed.

NAT enforces a client-server model and permanently and irrevocably relegates 
some administrative domains to the client role. This is an unfair disadvantage 
to the users within those domains when it is not by the choice of the 
administrator (and NAT in IPv4 so far, often is not).
  
No. Most NAT *doesn't* enforce a client-server model, it enforces a 
deliberate signaling model for establishing peer-to-peer communication, 
and allows open client-server communication (and most communication is, 
and will forever be, client-server). Assuming, again, that the NATs 
behave reasonably when trying to do peer-to-peer communication through 
them, which most (over 90% of what's deployed for IPv4) do. And *all* 
could, if there were standards people could code to. Which, again, for 
IPv6 there could be, if we'd stop claiming that NAT will never happen / 
is a bad idea and so shouldn't be standardized / etc.
  
 
  

Will it stop or hamper the innovation of new services on the
internet ?
  
  

Hasn't so far.
   


Here I have to call BS... I know of a number of cases where it has.
 
  

Ok, you called it... so where's the list of such services that haven't 
materialized as a result of NAT?



Haven't materialized, for one, is an attempt to redefine the question.  Note that the original 
question included hamper.  I would argue that the cost of maintaining a NAT 
compatibility lab and the QA staff to use it is a sufficient burden to call it hamper.
  
Again, such a lab would not be needed if NAT operation were codified in 
standards. Which could happen, if not for the vocal set who keeps 
arguing against them, even when there's 5+ good reasons for them, even 
in IPv6.

For the ones that did not materialize, however, I am at an unfortunate 
disadvantage in the argument.  I can tell you that I know of at least 5 such 
cases.  However, I cannot reveal the details because I am under NDA to the 
companies that were developing these products. I can tell you that in 3 of the 
5 cases, adapting them to cope with a NAT world would have required the company 
to run an external service in perpetuity (or at least so long as the 
application would function, no server, no function) in order to do the 
match-making between clients that could not directly reach each-other.

I guess a good analogy is this:

In a NAT world, you have only matchmaking services and all of your ability to 
meet potential mates is strictly controlled through these matchmaking services. 
There are many services available independent of each other, and, each has its 
own limitations, biases, and quirks. However, you cannot meet potential mates 
without involving at least one matchmaker.
  
True, but that's essentially true for all software, and certainly true 
for all web-based software.

In a NAT-Free world, you have 

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[Matthew Kaufman]

James Hess wrote:



Fortunately, the IPv6  address space is so large and sparse, that
scanning it would be quite a feat,  even if a random outside attacker
already knew   for a fact  that a certain /64  probably contains a
vulnerable host. 
All I need to do is run a popular web site on the IPv6 Internet, and I 
get all the addresses of connected hosts I want. That 
address-space-scanning is hard is nearly irrelevant.


Matthew Kaufman

the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[Josh Hoppes]

I'll preface this that I'm more of an end user then a network
administrator, but I do feel I have a good enough understanding of the
protocols and
network administration to submit my two cents.

The issue I see with this level of NAT, is the fact that I don't
expect that UPNP be implemented at that level.
I would see UPNP as being a security risk and prone to denial of
service attacks when you have torrent clients attempting to grab every
available port.

Now that's going to create problems with services like Xbox Live which
require UPNP to fully function since at least on one persons
connection
so they can host the game. When you're looking at player counts in
the millions I'm fairly sure that they are going to be effected by
CGN.
That's one application I expect to see break by such large scale NAT
implementations.

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[Adrian Chadd]

On Tue, Apr 27, 2010, Matthew Kaufman wrote:

 Fortunately, the IPv6  address space is so large and sparse, that
 scanning it would be quite a feat,  even if a random outside attacker
 already knew   for a fact  that a certain /64  probably contains a
 vulnerable host. 
 All I need to do is run a popular web site on the IPv6 Internet, and I 
 get all the addresses of connected hosts I want. That 
 address-space-scanning is hard is nearly irrelevant.

or troll popular IPv6 bittorent end points when that becomes popular.


Adrian

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[Jens Link]

John R. Levine jo...@iecc.com writes:

 Did you run any services?

 Of course not, it's consumer DSL.  I run services on my server which is
 somewhere else and tunnel in via ssh which, of course, works fine
 through NAT.

Take a look at all those small SOHO storage boxes. They all offer web
and FTP services and they all support something like dyndns. Customers
want these features and are using these features. 

Jens
-- 
-
| Foelderichstr. 40   | 13595 Berlin, Germany| +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@guug.de | ---  | 
-

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[John R. Levine]

Did you use Yahoo IM, AIM, or Skype?


Yes, yes, and yes.  Works fine.


Did you use any of those for
Video Chat and/or to transfer files?


Skype video chat, all the time, works fine.  Don't remember about file 
transfer.



Did you do any peer to peer filesharing?


Yeah, I got the latest Freebsd via bittorrent, and left it up overnight 
and observed from the stats that it served chunks of it back to other 
people.



Did you play any MMOs?


No, I noted the game players.


Did you run any services?


Of course not, it's consumer DSL.  I run services on my server which is 
somewhere else and tunnel in via ssh which, of course, works fine through 
NAT.



When you add in the other things that break which I have outlined above,
you start to approach 75%. I would argue that 75% is a significant and
meaningful fraction of an ISPs customer base.


The hypthetical network that your consumers would use appears to be very 
different from the actual one available to consumers around here.


R's,
John

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[Mikael Abrahamsson]

On Tue, 20 Apr 2010, John R. Levine wrote:

Skype video chat, all the time, works fine.  Don't remember about file 
transfer.


Whenever I am behind NAT and talk to someone else who is behind NAT skype 
seems to lower the quality, my guess it's because it now bounces traffic 
via another non-NATed node.


These kind of applications work best if there is at least one non-NATed 
party involved, especially for video etc.


--
Mikael Abrahamssonemail: swm...@swm.pp.se

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[Eliot Lear]

On 4/20/10 6:38 PM, Mikael Abrahamsson wrote:

On Tue, 20 Apr 2010, John R. Levine wrote:

Skype video chat, all the time, works fine.  Don't remember about 
file transfer.


Whenever I am behind NAT and talk to someone else who is behind NAT 
skype seems to lower the quality, my guess it's because it now bounces 
traffic via another non-NATed node.


These kind of applications work best if there is at least one 
non-NATed party involved, especially for video etc.


My own experience is that skype quality lags that of iChat A/V, but I 
had always attributed that to iChat having better codecs.  I could be 
wrong.  iChat A/V, on the other hand, seems to have a heart attack when 
both sides have private addresses, and the firewall configuration is 
non-trivial.


But I think we're going about this the wrong way.  I wonder if we could 
change the way we do business in the longer term if everyone had public 
address space.  As an application guy, I dislike the fact that people 
have to rely on some sort of service to share their calendars.  That 
makes great sense for the service provider, and it even makes sense for 
the consumer right now due to the state of the art.  But perhaps the 
times could change.


There are lots of use cases where connecting into the house would be 
nice.  Baby monitoring, security monitoring, Smart this, smart that, 
etc.  Instead we require extra middleware to make it all work.  The 
economics are, if nothing else, a painful lesson.


Eliot

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

[Mark Smith]

On Tue, 20 Apr 2010 18:38:33 +0200 (CEST)
Mikael Abrahamsson swm...@swm.pp.se wrote:

 On Tue, 20 Apr 2010, John R. Levine wrote:
 
  Skype video chat, all the time, works fine.  Don't remember about file 
  transfer.
 
 Whenever I am behind NAT and talk to someone else who is behind NAT skype 
 seems to lower the quality, my guess it's because it now bounces traffic 
 via another non-NATed node.
 

I think that means skype will be ported to IPv6 pretty quickly. CGN/LSN
is going to dramatically reduce the number of 'super nodes' with public
IPv4 addresses to relay calls through. That'll be particularly
unfair to people in Australia, because here we have a per-month quota
system e.g. 20GB of downloads and/or uploads a month. I wouldn't want
my quota being chewed up by lots of other people's phone calls.

 These kind of applications work best if there is at least one non-NATed 
 party involved, especially for video etc.
 
 -- 
 Mikael Abrahamssonemail: swm...@swm.pp.se
 

Regards,
Mark.