Its not exactly a surprise, folk seem to place a higher premium on shooting NAT
than anything else. Meanwhile the vast majority of residential broadband access
is behind NAT.
And from a security point I want to see as much NAT as possible. Without NAT we
would be in a much worse situation secur
>Its not exactly a surprise, folk seem to place a higher premium on
>shooting NAT than anything else. Meanwhile the vast majority of
>residential broadband access is behind NAT.
>
>And from a security point I want to see as much NAT as possible. Without
>NAT we would be in a much worse situation se
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
>
> >Its not exactly a surprise, folk seem to place a higher premium on
> >shooting NAT than anything else. Meanwhile the vast majority of
> >residential broadband access is behind NAT.
> >
> >And from a security point I want to see as much
On 7/2/07 11:14 AM, "Hallam-Baker, Phillip" <[EMAIL PROTECTED]> wrote:
> There is no other device that can provide me with a lightweight firewall for
> $50.
Of course there is - the same device that's providing the NAT.
NAT by itself is intrinsically policy-free, although it implements
policy as
> From: Melinda Shore [mailto:[EMAIL PROTECTED]
> On 7/2/07 11:14 AM, "Hallam-Baker, Phillip"
> <[EMAIL PROTECTED]> wrote:
> > There is no other device that can provide me with a lightweight
> > firewall for $50.
>
> Of course there is - the same device that's providing the NAT.
The $50 incl
On 7/2/07 12:40 PM, "Hallam-Baker, Phillip" <[EMAIL PROTECTED]> wrote:
> The $50 includes the cost of administration. I get the NAT effect for free
> when I plug the box in. Turning it off on the other hand requires rather a lot
> of thinking for the average user.
There's no reason that a default
On Monday, July 02, 2007 07:01:28 AM -0700 "Hallam-Baker, Phillip"
<[EMAIL PROTECTED]> wrote:
And from a security point I want to see as much NAT as possible.
Whereas I want my applications to work, and people to stop conflating NAT
and firewalls.
You don't want to see as much NAT as po
There is no other device that can provide me with a lightweight firewall for
$50.
Yes there is; it's a SOHO gateway with its NAT function switched
off for use with a "fixed IP address".
SOHO gateways with IPv6 support will provide exactly as much firewall
protection as a NAT-capable IPv4 SOH
--On Monday, 02 July, 2007 13:06 -0400 Jeffrey Hutzelman
<[EMAIL PROTECTED]> wrote:
>...
> That is _not_ because NAT makes the network more secure - it
> doesn't.
> It's because most of the people buying those boxes "need" NAT
> because their ISP's won't give them more than one address, or
> at
Brian E Carpenter wrote:
>
>> There is no other device that can provide me with a lightweight
>> firewall for $50.
>
> Yes there is; it's a SOHO gateway with its NAT function switched
> off for use with a "fixed IP address".
>
> SOHO gateways with IPv6 support will provide exactly as much firewa
-Original Message-
> From: Melinda Shore [mailto:[EMAIL PROTECTED]
> Sent: Monday, July 02, 2007 12:51 PM
> To: Hallam-Baker, Phillip; [EMAIL PROTECTED]
> Cc: ietf@ietf.org
> Subject: Re: Domain Centric Administration, RE:
> draft-ietf-v6ops-natpt-to-historic-00.txt
>
and the cost of
administration pain point.
> -Original Message-
> From: John C Klensin [mailto:[EMAIL PROTECTED]
> Sent: Monday, July 02, 2007 2:06 PM
> To: Jeffrey Hutzelman
> Cc: ietf@ietf.org
> Subject: Re: Domain Centric Administration, RE:
> draft-ietf-v6ops-natpt-to-hi
On Jul 2, 2007, at 8:14 AM, Hallam-Baker, Phillip wrote:
My point here is that the principal objection being raised to NAT,
the limitation on network connectivity is precisely the reason why
it is beneficial.
There is no other device that can provide me with a lightweight
firewall for $
Hallam-Baker, Phillip wrote:
> Its not exactly a surprise, folk seem to place a higher premium on shooting
> NAT than anything else. Meanwhile the vast majority of residential broadband
> access is behind NAT.
>
> And from a security point I want to see as much NAT as possible. Without NAT
> we
Hallam-Baker, Phillip wrote:
> It is equally a layer violation for FTP to communicate IP addresses and port
> numbers in the protocol. An application should not know if the transport is
> IPv4, IPv6 or SNA.
dream on. in every case where I have worked with an application that
tried to be indepe
> From: Keith Moore [mailto:[EMAIL PROTECTED]
> from a security point the thing to do is for everyone to
> disconnect from the Internet and go back to stone knives and
> bear skins.
That does not work. The Internet has driven a coach and horses through the
assumptions that underly the fina
>> from a security point the thing to do is for everyone to
>> disconnect from the Internet and go back to stone knives and
>> bear skins.
>>
>
> That does not work. The Internet has driven a coach and horses through the
> assumptions that underly the financial services infrastructure even
> From: Keith Moore [mailto:[EMAIL PROTECTED]
> > Oh so I am the one who is peddling FUD eh? The above pretty
> much looks like FUD to me.
> >
> you were the one trying to cripple residential users.
No, I was intending to cripple their machines which is not the same thing at
all.
Specific
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
>
> >=20
> > >Its not exactly a surprise, folk seem to place a higher premium on=20
> > >shooting NAT than anything else. Meanwhile the vast majority of=20
> > >residential broadband access is behind NAT.
> > >
> > >And from a security point
> > There is no other device that can provide me with a lightweight firewall
> > for $50.
>
> Yes there is; it's a SOHO gateway with its NAT function switched
> off for use with a "fixed IP address".
>
> SOHO gateways with IPv6 support will provide exactly as much firewall
> protection as a NAT-
> My point here is that the principal objection being raised to NAT, the
> limitation on network connectivity is precisely the reason why it is
> beneficial.
>
> There is no other device that can provide me with a lightweight firewall for
> $50.
other reponses gave you some good news.
As the administrator of several small networks, it is quite simple. By
re-writing the address, the NAT is a defacto default deny. I have a lot
more trust in the simplicity of a basic NAT in a consumer firewall then I
do in any firewall which has to examine each packet for conformance to
complex po
> As the administrator of several small networks, it is quite simple. By
> re-writing the address, the NAT is a defacto default deny. I have a lot
> more trust in the simplicity of a basic NAT in a consumer firewall then I
> do in any firewall which has to examine each packet for conformance to
>
That is pretty much it
The one additional point being that we all take a realistic view of what people
out there will actually pay for and what they will actually use.
I can manage get people to pay for security. Getting them to then use the
security they have paid for is a much harder problem.
> Hallam-Baker, Phillip wrote:
> > It is equally a layer violation for FTP to communicate IP addresses and
> > port numbers in the protocol. An application should not know if the
> > transport is IPv4, IPv6 or SNA.
> dream on. in every case where I have worked with an application that
> tried t
Mark,
On Jul 2, 2007, at 6:49 PM, Mark Andrews wrote:
People arn't bashing NAT.
Oh, please. Sure they are.
They are saying that NAT is not
a appropriate for solution in a IPv6 world. It adds a lot
more complexity than just a stateful firewall.
A stateful fi
>> dream on. in every case where I have worked with an application that
>> tried to be independent of lower layers, that has failed. there's
>> always been some need for the application to be aware of the
>> characteristics of an underlying layer. TCP and SCTP aren't
>> semantically equivalent
> Mark,
>
> On Jul 2, 2007, at 6:49 PM, Mark Andrews wrote:
> > People arn't bashing NAT.
>
> Oh, please. Sure they are.
>
> > They are saying that NAT is not
> > a appropriate for solution in a IPv6 world. It adds a lot
> > more complexity than just a stateful firewall.
>
At 08:14 02-07-2007, Hallam-Baker, Phillip wrote:
My point here is that the principal objection being raised to NAT,
the limitation on network connectivity is precisely the reason why
it is beneficial.
There is no other device that can provide me with a lightweight
firewall for $50.
NAT is
> > They are saying that NAT is not
> > a appropriate for solution in a IPv6 world. It adds a lot
> > more complexity than just a stateful firewall.
>
> A stateful firewall doesn't also provides provider
> independence and an ability to have a form of multi-homing
> without play
On 7/2/07 9:14 PM, "David Morris" <[EMAIL PROTECTED]> wrote:
> As the administrator of several small networks, it is quite simple. By
> re-writing the address, the NAT is a defacto default deny.
A lot of administrators feel that way, and I undersatnd
why (NAT is basically configuration-free, for t
> From: Mark Andrews <[EMAIL PROTECTED]>
> This is the time when everyone should be running dual stack.
So, what lesson(s) ought the IETF to take away from the fact that people
aren't?
Noel
___
Ietf mailing list
Ietf@ietf.org
https://w
> From: SM [mailto:[EMAIL PROTECTED]
> It offers a fall sense of security. A person running a HTTP
> server behind a NAT box usually does port redirection to that
> server. The threat remains.
Arguments about false senses of security are usually wrong. We are adapted for
an environment wher
> From: Ned Freed [mailto:[EMAIL PROTECTED]
> Keith, while I agree with your general point that
> applications have no choice but to be aware of lower layer
> semantics in many if not most cases, this last is not a good
> example of that. There is really no difficulty running SMTP
> or any o
> From: David Conrad [mailto:[EMAIL PROTECTED]
> I am also a bit confused how a "dual stack" transition strategy to
> IPv6 is going to work when the IPv4 address free pool is
> exhausted in a few years without some form of NAT/ALG, but
> maybe that's just me.
Perhaps the idea here is that when
On Jul 3, 2007, at 11:37 AM, Hallam-Baker, Phillip wrote:
From: David Conrad [mailto:[EMAIL PROTECTED]
I am also a bit confused how a "dual stack" transition strategy to
IPv6 is going to work when the IPv4 address free pool is
exhausted in a few years without some form of NAT/ALG, but
maybe
> If the application layer is required to take notice of what is going on at
> the lower levels its because the layering was botched.
>
no, it just means that all lower-level network services weren't designed
to provide exactly the same set of services and semantics to higher
layers.
in the
> This is the time when everyone should be running dual stack.
as I posted before, almost every one of people who attends IETF are
running IPv6-capable operating system. if you are not, you are very
out of date like 5 years.
IPv6 is not enabled just because
> From: Marshall Eubanks <[EMAIL PROTECTED]>
>> Its not going to work that way. All we will end up with is hyper-NAT.
> And a Market in IPv4 addresses, which will certainly develop as IPv4
> exhaustion nears.
This is rather close to a prediction I made some time ago:
Subject:
> as I posted before, almost every one of people who attends IETF are
> running IPv6-capable operating system. if you are not, you are very
> out of date like 5 years.
>
well, even if your OS supports IPv6 doesn't mean that it works well with
things like your host-based firew
Noel Chiappa wrote:
> > From: Mark Andrews <[EMAIL PROTECTED]>
>
> > This is the time when everyone should be running dual stack.
>
> So, what lesson(s) ought the IETF to take away from the fact that people
> aren't?
>
people will nearly always choose a quick fix that adds complexity ove
Re: Domain Centric Administration, RE:
> draft-ietf-v6ops-natpt-to-historic-00.txt
>
>
> On Jul 3, 2007, at 11:37 AM, Hallam-Baker, Phillip wrote:
>
> >> From: David Conrad [mailto:[EMAIL PROTECTED]
> >
> >> I am also a bit confused how a "dual stack&qu
Keith Moore wrote:
>
> word I hear is that Vista's enabling of such technologies is causing
> problems for enterprise networks because their traffic filters and
> intrusion detectors aren't set up to handle them.
It is trivial to filter teredo (knock down udp 3544) and I think you can
rest assured
i will be a bit implite.
>> as I posted before, almost every one of people who attends IETF are
>> running IPv6-capable operating system. if you are not, you are very
>> out of date like 5 years.
>>
>well, even if your OS supports IPv6 doesn't mean that it works well wit
>> well, even if your OS supports IPv6 doesn't mean that it works well with
>> things like your host-based firewall.
>>
>
> if that is true, the company selling that host-based firewall is
> slacking.
>
either that or they're wanting you to pay a lot of money to upgrade to a
n
> From: Jun-ichiro itojun Hagino [mailto:[EMAIL PROTECTED]
> PS: in openbsd community if you do not commit frequently
> enough you will be scolded for being a slacker.
Which is part of where we need to get to.
What I propose is a brand, similar to WiFi that tells a customer, whether home
or e
>> PS: in openbsd community if you do not commit frequently=20
>> enough you will be scolded for being a slacker.
>
>Which is part of where we need to get to.
>
>What I propose is a brand, similar to WiFi that tells a customer, =
>whether home or enterprise that a product:
>
>1) Either
> Will
> so, Apple is not slacking and KAME/*BSD are not too.
for the record, I do not get paid from Apple, just yet :-P
itojun
___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf
> i do not have one myself so please verify it by yourself. i have
> used it at meetings (Jun Murai has almost every version of it) as well
> as while i have been war-driving in Tokyo. nice (or bad) thing for the
> latter case was that there was no access control enabled f
On Jul 2, 2007, at 11:06 AM, John C Klensin wrote:
Of course, almost none of the issues above are likely to go away,
or even get better, with IPv6... unless we make some improvements
elsewhere. And none of them make NAT a good idea, just a
"solution" that won't easily go away unless we h
> The initial use of IPv6 in North America will likely involve Teredo
> enabled NATs and Teredo servers. It does not seem NATs will go away
> anytime soon, especially those adding Teredo compliance to ensure
> multi-player games function without router configuration.
Just a point of clarity: Tere
Thus spake "Melinda Shore" <[EMAIL PROTECTED]>
I have a lot more trust in the simplicity of a basic NAT in a
consumer firewall then I do in any firewall which has to
examine each packet for conformance to complex policy
rules.
"Drop all inbound traffic" is complex?
AFAIK, there's exactly one
At 08:37 03-07-2007, Hallam-Baker, Phillip wrote:
Arguments about false senses of security are usually wrong. We are
adapted for an environment where sabre toothed tigers are running
around at night. So our tolerance for insecurity is much higher than
you might think. A sense of security is cre
> > This is the time when everyone should be running dual stack.
>
> So, what lesson(s) ought the IETF to take away from the fact
> that people aren't?
That MPLS with 6PE is a superior migration scenario.
Or perhaps, that defining migration scenarios without the full
involvement of network
Or perhaps, that defining migration scenarios without the full
involvement of network operations people is an exercise in futility.
It would have been, if v6ops had done that.
Brian
___
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mail
[EMAIL PROTECTED] wrote:
Or perhaps, that defining migration scenarios without the full
involvement of network operations people is an exercise in futility. In
the business world this kind of work begins by identifying stakeholders,
getting full involvement from stakeholders, and only then doing
--On Wednesday, 04 July, 2007 11:50 +0100 [EMAIL PROTECTED]
wrote:
>> So, what lesson(s) ought the IETF to take away from the fact
>> that people aren't?
>
> That MPLS with 6PE is a superior migration scenario.
> Or perhaps, that defining migration scenarios without the full
> involvement of
John C Klensin wrote:
Maybe we are all deluded and that, as has occasionally been
claimed by some telco-based bodies, datagram networks are only
useful for research and the future, as well as the past, of
"real" networks lies in end-to-end circuits. But I'm not
convinced yet.
I don't think
> > That MPLS with 6PE is a superior migration scenario.
>
> > Or perhaps, that defining migration scenarios without the full
> >involvement of network operations people is an exercise in futility.
> If the lesson we have learned is that the only practical way
> to handle and route IP (whethe
--On Wednesday, 04 July, 2007 15:52 +0100 [EMAIL PROTECTED]
wrote:
>> > That MPLS with 6PE is a superior migration scenario.
>>
>> > Or perhaps, that defining migration scenarios without the
>> > full involvement of network operations people is an
>> > exercise in futility.
>
>> If the less
Micahel,
On 2007-07-04 16:52, [EMAIL PROTECTED] wrote:
That MPLS with 6PE is a superior migration scenario.
Or perhaps, that defining migration scenarios without the full
involvement of network operations people is an exercise in futility.
If the lesson we have learned is that the only prac
> From: Brian E Carpenter [mailto:[EMAIL PROTECTED]
> I don't understand the tone of complaint in the above. The
> IETF *has* put 6PE on the table: RFC 4798 is a Proposed
> Standard. That's where the IETF's role ends - this is one of
> the mechanisms for IPv6 coexistence, among which the marke
62 matches
Mail list logo
