Keith Moore [EMAIL PROTECTED] schrieb/wrote:
the technical solutions exist. what is needed is for more OS vendors
to support v6 (and 6to4 on the host).
What we do need are killer applications. Just imagine what would
happen if Quake IV required IPv6[1]. ;-)
Claus
[1] and came with
Aaron Falk wrote:
I think one can make the case that having border protection may
prevent a DOS attack from consuming interior network resources and
allowing interior hosts to communicate amongst themselves.
And if your interior network resources are less than 10x your external
resource, you
From: Tony Hain [EMAIL PROTECTED]
it may be more convenient to have the border deal with DOS, but is it
*required* as Noel asserted?
First, there's good idea, required, and *required*. It's *required*
that your computer have a test-and-branch instruction to be a Turing machine.
On Thursday, March 21, 2002, at 06:15 PM, [EMAIL PROTECTED] wrote:
Of course, there is the possibility that if they were totally honest,
and marketed their devices as Enabling appliances for selected Internet
services that they'd STILL make money (and then you'd have no one to
blame).
Please
See the problem? Lots of That is not the problem, THIS is the REAL
problem and all too few doable solutions.
Throwing rocks is easy. Catching them is harder.
--
James W. Meritt CISSP, CISA
Booz | Allen | Hamilton
phone: (410) 684-6566
[EMAIL PROTECTED]
To: Harald Koch [EMAIL PROTECTED]
Cc: Keith Moore [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Tuesday, March 19, 2002 9:10 PM
Subject: Re: Netmeeting - NAT issue
I think you missed the important point. It's not the NAT vendors, it's
the ISPs.
I'll grant that ISPs have something
From: Peter Deutsch [EMAIL PROTECTED]
And if your objection to NATs ended there, I wouldn't have a problem
with it. But instead of then working to change the protocols that break
with NATs, you continue to insist, Canute-like, that you can turn back
the tides and move the world back to a
On Wed, Mar 20, 2002 at 08:23:15AM -0800, Tony Hain wrote:
My question was directed at Noel's assertion that security requires a
site border router as the implementation. Just because that may be
cheaper than fixing all the current hosts, wouldn't we be better off in
the long run if all
Ok, I have to say something.
I agree that NATs are evil, and *should* not exist. But, since ISP's
currently charge tons of money for more than one IP address, they always
*will* exist.
Maybe IPv6 will fix all that . . . . we can only pray . . .
--
David Frascone
Reality is for those
On Mon, 18 Mar 2002 21:00:22 PST, Peter Ford [EMAIL PROTECTED] said:
I would love to see the complete solution to signaling all the potential
blocking intermediate hops in the network that specific traffic should
pass.
I would love to see the complete *SECURE* solution to signaling all the
On Tue, 19 Mar 2002 08:40:02 CST, David Frascone said:
I agree that NATs are evil, and *should* not exist. But, since ISP's
currently charge tons of money for more than one IP address, they always
*will* exist.
Bad logic. They won't always will. They will as long as ISPs have the
current
OK, but that does not solve the problem where the NATs are mostly deployed
-- home and SOHO -- until all internet servers of interest to those users
speak IPv6. Can be upgraded to do so is great if you control the server,
but these users don't. So Yahoo, Google, etc can be pursuaded to
in a just world, the NAT vendors would all be sued out of existence for
the harm they've done to the Internet. in the real world, if you can
hire a famous personality to advertise your product on TV, then by
definition it must work well.
The last time I was this
OK, but that does not solve the problem where the NATs are mostly deployed
-- home and SOHO -- until all internet servers of interest to those users
speak IPv6. Can be upgraded to do so is great if you control the server,
but these users don't.
true enough. fortunately, NAT doesn't
everyone--
I know this is a frequent source of heated discussion, and that much has
already been said that doesn't need to be repeated here, but I *just*
*can't* *let* *this* *go* unchallenged.
-
On Tuesday, March 19, 2002, at 08:26 AM, Keith Moore wrote:
[...]
in a just world, the NAT
The first thing I would suggest is to sit back and contemplate whether
the situation bears any resemblance to other problems in which the user
population engages in behavior that results in short-term personal
benefit in exchange for long-term harm to the welfare of society.
granted there
Keith,
In a just world, people freely purchase the things they want and believe
solves a real world problem for them.
The Internet has grown at an incredible rate and I suspect in large part
due to NATs. I wonder if the Internet would sue the NAT vendors, or
thank them for establishing a
Of all the gin joints in all the towns in all the world, Keith Moore
had to walk into mine and say:
granted there are numerous instances of this. but it seems disingenuous
to blame the NAT problem on users when the NAT vendors are doing their
best to mislead users about the harm that NAT
On Tuesday, March 19, 2002, at 01:10 PM, Keith Moore wrote:
[I wrote:]
The first thing I would suggest is to sit back and contemplate whether
the situation bears any resemblance to other problems in which the user
population engages in behavior that results in short-term personal
benefit in
From: Keith Moore [EMAIL PROTECTED]
it seems disingenuous to blame the NAT problem on users when the NAT
vendors are doing their best to mislead users about the harm that NAT
does.
Oh, piffle. NAT's don't harm the Internet, any more than a host of other
things: invisible Web
I think you missed the important point. It's not the NAT vendors, it's
the ISPs.
I'll grant that ISPs have something to do with it. But there is a
shortage of IPv4 addresses, so it's not as if anybody can have as
many as they want. And it's not the fact that people are selling
NAT that I
Noel Chiappa wrote:
...
security alone demands that we be able to
move some functionality to a site border router, or some
such.
Why does security demand an external border? Is that based on the
assumption that the host is too stupid to protect itself? If it is based
on having an app
Oh, piffle. NAT's don't harm the Internet, any more than a host of other
things:
the fact that other things do harm doesn't mean that NATs don't also
do harm, or that the harm done by NAT is somehow lessened or excused.
and IMHO most of the other things you mentioned do less harm than NATs,
Keith;
I think you missed the important point. It's not the NAT vendors, it's
the ISPs.
I'll grant that ISPs have something to do with it. But there is a
shortage of IPv4 addresses, so it's not as if anybody can have as
many as they want.
Wrong.
There actually is no shortage of IPv4
On Tue, 19 Mar 2002 19:01:14 PST, Tony Hain [EMAIL PROTECTED] said:
Why does security demand an external border? Is that based on the
assumption that the host is too stupid to protect itself? If it is based
Yes.
The host may be too stupid to protect itself - read Bugtraq or other similar
Microsoft has recently addressed the NAT traversal issue for multimedia
scenarios by shipping Messenger in Windows XP and it uses universal plug
and play protocols (www.upnp.org) to open holes on upnp capable internet
gateways. There are many vendors building upnp capable NATs in 2002.
]]
Sent: Monday, March 18, 2002 7:14 AM
To: Andrew McGregor
Cc: [EMAIL PROTECTED]
Subject: Re: Netmeeting - NAT issue
Microsoft has recently addressed the NAT traversal issue for
multimedia
scenarios by shipping Messenger in Windows XP and it uses universal
plug
and play protocols (www.upnp.org
Message-
From: Joe Touch [mailto:[EMAIL PROTECTED]]
Sent: Monday, March 18, 2002 8:08 AM
To: Peter Ford
Cc: Andrew McGregor; Vivek Gupta; [EMAIL PROTECTED]
Subject: Re: Netmeeting - NAT issue
Peter Ford wrote:
If one really believes in end to end architectures, then one probably
would want
The protocols explicit probe the first hop router on the network for
upnp capabilities. In their model of a home gateway/LAN there is no
internal routing, the world is bridged, so the signaling should not
damage routing transparency.
But just imposing that model removes transparency. Maybe I
Ahh, it doesn't have to damage routing transparency. If we were to use
a signaling protocol that is carefully crafted to preserve routing
transparency (e.g. RSVP) then we can avoid this issue.
That's what I'm working on, but midcom and upnp as they're
currently defined most certainly do have
-Original Message-
From: Melinda Shore [mailto:[EMAIL PROTECTED]]
Sent: Monday, March 18, 2002 2:18 PM
To: Peter Ford
Cc: [EMAIL PROTECTED]
Subject: Re: Netmeeting - NAT issue
Ahh, it doesn't have to damage routing transparency. If we were to
use
a signaling protocol that is carefully
I would love to see the complete solution to signaling all the potential
blocking intermediate hops in the network that specific traffic should
pass.
Regards, peter
Or, get a NAT which *does* connection-track H.323. They do exist,
open-source and not, and work just fine.
Better, get a proper H.323 gateway (which will work behind an H.323 aware
NAT if done properly) so people can call in as well as out.
However, NAT is still brokenness. (and so is H.323)
: Re: Netmeeting - NAT issue
Or, get a NAT which *does* connection-track H.323. They do exist,
open-source and not, and work just fine.
Better, get a proper H.323 gateway (which will work behind an H.323
aware
NAT if done properly) so people can call in as well as out.
However, NAT is still
to be hard to secure, but I guess that's what makes it
interesting.
Regards, peter
-Original Message-
From: Andrew McGregor [mailto:[EMAIL PROTECTED]]
Sent: Sunday, March 17, 2002 5:34 PM
To: Joe Touch; Vivek Gupta
Cc: [EMAIL PROTECTED]
Subject: Re: Netmeeting - NAT issue
Net meeting by Microsoft is not suppoted by NAT . this is the major
problem
you may not have noticed that
o there is no ietf standards track document for net meeting
o there is no ietf standards track document for nat
hence no one here is surprised. caveat emptor.
we design and
Net meeting by Microsoft is not suppoted by NAT . this is the major
problem
NATs violate many of the assumptions of the Internet Protocol. It's
unrealistic to expect many kinds of IP applications to work in the
presence of NATs, unless they were specifically designed to do so.
And
Hi Vivek:
I am behind a
firewall, as Help-desk Mgr. we had to find some answers for our customers
regarding the issues you ask. I am SURE the problem is with netmeeting and other
MS comunications softwatre. Try the following links:
http://messenger.msn.com/support/knownissues.asp
38 matches
Mail list logo