Re: Rate of growth on IPv6 not fast enough?
On Wed, 21 Apr 2010 14:24:37 -0400 William Herrin b...@herrin.us wrote: On Tue, Apr 20, 2010 at 9:34 PM, Karl Auer ka...@biplane.com.au wrote: On Tue, 2010-04-20 at 12:59 -0700, Owen DeLong wrote: On Apr 20, 2010, at 12:31 PM, Roger Marquis wrote: NAT _always_ fails-closed Stateful Inspection can be implemented fail-closed. Not to take issue with either statement in particular, but I think there needs to be some consideration of what fail means. Fail means that an inexperienced admin drops a router in place of the firewall to work around a priority problem while the senior engineer is on vacation. With NAT protecting unroutable addresses, that failure mode fails closed. Fail is expecting a low level staff member, who doesn't know better, to substitute for a senior one, who does. Would you also let a helpdesk teamleader (low level, relatively inexperienced management position) take over the CEO's job if the CEO was available and there was a business crisis? A medical student take over from a doctor in an emergency ward? Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: Rate of growth on IPv6 not fast enough?
CEO position - Did you know: The majority of SP 500 CEOs are in their 50s 29% of SP 500 CEOs have an advanced degree other than an MBA CEOs in the SP 401-500 group are more likely to have a shorter tenure with his or her company than other SP 500 CEOs 60% of SP 500 CEOs have been in office less than six years CEOs of the top 100 SP 500 companies are more likely than the rest of the SP 500 CEOs to have been with the same company throughout their entire career Operation Director - some say that age wouldn't be that important, though maturity might. How would they feel about being given this much power? What kinds of goals should they have in mind if they get the job? Don't forget that the person over 30 may be just as new to IT as a fresh college graduate. more ...and more .you just won't believe how this is smashing your hearts to pieces .. CAREER HISTORY 1996-2000: Graduate trainee rising to marketing manager Are you sure you don't need a network technician to do the job? - Original Message From: Mark Smith na...@85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org To: William Herrin b...@herrin.us Cc: nanog@nanog.org Sent: Thu, April 29, 2010 10:24:03 PM Subject: Re: Rate of growth on IPv6 not fast enough? On Wed, 21 Apr 2010 14:24:37 -0400 William Herrin b...@herrin.us wrote: On Tue, Apr 20, 2010 at 9:34 PM, Karl Auer ka...@biplane.com.au wrote: On Tue, 2010-04-20 at 12:59 -0700, Owen DeLong wrote: On Apr 20, 2010, at 12:31 PM, Roger Marquis wrote: NAT _always_ fails-closed Stateful Inspection can be implemented fail-closed. Not to take issue with either statement in particular, but I think there needs to be some consideration of what fail means. Fail means that an inexperienced admin drops a router in place of the firewall to work around a priority problem while the senior engineer is on vacation. With NAT protecting unroutable addresses, that failure mode fails closed. Fail is expecting a low level staff member, who doesn't know better, to substitute for a senior one, who does. Would you also let a helpdesk teamleader (low level, relatively inexperienced management position) take over the CEO's job if the CEO was available and there was a business crisis? A medical student take over from a doctor in an emergency ward? Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: Rate of growth on IPv6 not fast enough?
On Thu, Apr 29, 2010 at 11:24 AM, Mark Smith na...@85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org wrote: On Wed, 21 Apr 2010 14:24:37 -0400 William Herrin b...@herrin.us wrote: Fail means that an inexperienced admin drops a router in place of the firewall to work around a priority problem while the senior engineer is on vacation. With NAT protecting unroutable addresses, that failure mode fails closed. Fail is expecting a low level staff member, who doesn't know better, to substitute for a senior one, who does. Funny thing about junior staff... Their reach is often longer than their grasp. Someone has to have the keys when the senior guy is away... Even if they don't always have the good judgment to know what they can safely do with them. As the senior guy, I'd rather find out about the mistake when the panicked junior calls me on the cell phone because he crashed the network, not when I get back and find the company jewels have been stolen. NAT protecting unroutable addresses gives me a better chance that junior's mistake only causes a network outage. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: Rate of growth on IPv6 not fast enough?
On Thu, 29 Apr 2010 15:58:24 -1000, William Herrin said: Funny thing about junior staff... Their reach is often longer than their grasp. Someone has to have the keys when the senior guy is away... Isn't that the defense that Terry Childs used? :) (Sorry, couldn't resist. :) pgpDBzT2JrQcL.pgp Description: PGP signature
Re: Rate of growth on IPv6 not fast enough?
Am 25.04.2010 um 03:29 schrieb Mark Smith: If obscurity is such an effective measure why are zebras also able to run fast and kick hard? Because the stripes hide them from the flies, not the lions. http://en.wikipedia.org/wiki/Zebra#cite_note-5 -- Stefan Bethke s...@lassitu.de Fon +49 151 14070811
Re: Rate of growth on IPv6 not fast enough?
On 04/22/2010 08:25 AM, Marshall Eubanks wrote: On Apr 22, 2010, at 11:04 AM, John Lightfoot wrote: That's Hedley. I believe that he is talking about Hedy Lamarr, the co-inventor of frequency hopping spread spectrum. The patent which bears her and George Antheil's name is by no means (and about 30 years) the earliest example of this technology. Regards Marshall -Original Message- From: bmann...@vacation.karoshi.com [mailto:bmann...@vacation.karoshi.com] Sent: Thursday, April 22, 2010 10:34 AM To: Simon Perreault Cc: nanog@nanog.org Subject: Re: Rate of growth on IPv6 not fast enough? On Thu, Apr 22, 2010 at 08:34:20AM -0400, Simon Perreault wrote: On 2010-04-22 07:18, William Herrin wrote: On the other hand, I could swear I've seen a draft where the PC picks up random unused addresses in the lower 64 for each new outbound connection for anonymity purposes. That's probably RFC 4941. It's available in pretty much all operating systems. I don't think there's any IPR issue to be afraid of. not RFC4941... think abt applying Heddy Lamars patents on spread-spectrum to source address selection. --bill
Re: Rate of growth on IPv6 not fast enough?
On 4/24/2010 14:07, Joel Jaeggli wrote: The patent which bears her and George Antheil's name is by no means (and about 30 years) the earliest example of this technology. Few patents are. I can't think of a one, but I suppose there must be one containing no prior art at all. Does a movie star of the startlingly attractive persuasion being an accomplished engineer bother you? -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Re: Rate of growth on IPv6 not fast enough?
On 04/22/2010 10:18 PM, Matthew Kaufman wrote: Owen DeLong wrote: On Apr 22, 2010, at 5:55 AM, Jim Burwell wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4/22/2010 05:34, Simon Perreault wrote: On 2010-04-22 07:18, William Herrin wrote: On the other hand, I could swear I've seen a draft where the PC picks up random unused addresses in the lower 64 for each new outbound connection for anonymity purposes. That's probably RFC 4941. It's available in pretty much all operating systems. I don't think there's any IPR issue to be afraid of. Simon I think this is different. They're talking about using a new IPv6 for each connection. RFC4941 just changes it over time IIRC. IMHO that's still pretty good privacy, at least on par with a NATed IPv4 from the outside perspective, especially if you rotated through temporary IPv6s fairly frequently. 4941 specified changing over time as one possibility. It does allow for per flow or any other host based determination of when it needs a new address. Owen But none of this does what NAT does for a big enterprise, which is to *hide internal topology*. Yes, addressing the privacy concerns that come from using lower-64-bits-derived-from-MAC-address is required, but it is also necessary (for some organizations) to make it impossible to tell that this host is on the same subnet as that other host, as that would expose information like which host you might want to attack in order to get access to the financial or medical records, as well as whether or not the executive floor is where these interesting website hits came from. Does your nat box reset or non-determisitically rewrite the ttl on the outgoing packet? ALGs are dramatically better topology hiding devices... Matthew Kaufman
Re: Rate of growth on IPv6 not fast enough?
On Thu, 22 Apr 2010 22:18:56 -0700 Matthew Kaufman matt...@matthew.at wrote: Owen DeLong wrote: On Apr 22, 2010, at 5:55 AM, Jim Burwell wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4/22/2010 05:34, Simon Perreault wrote: On 2010-04-22 07:18, William Herrin wrote: On the other hand, I could swear I've seen a draft where the PC picks up random unused addresses in the lower 64 for each new outbound connection for anonymity purposes. That's probably RFC 4941. It's available in pretty much all operating systems. I don't think there's any IPR issue to be afraid of. Simon I think this is different. They're talking about using a new IPv6 for each connection. RFC4941 just changes it over time IIRC. IMHO that's still pretty good privacy, at least on par with a NATed IPv4 from the outside perspective, especially if you rotated through temporary IPv6s fairly frequently. 4941 specified changing over time as one possibility. It does allow for per flow or any other host based determination of when it needs a new address. Owen But none of this does what NAT does for a big enterprise, which is to *hide internal topology*. Yes, addressing the privacy concerns that come from using lower-64-bits-derived-from-MAC-address is required, but it is also necessary (for some organizations) to make it impossible to tell that this host is on the same subnet as that other host, as that would expose information like which host you might want to attack in order to get access to the financial or medical records, as well as whether or not the executive floor is where these interesting website hits came from. Are you saying that hiding network topology is going to be your only security measure to protect these systems? Yikes! How about (a) having them authenticate people who try to use them (b) have those people use two factor authentication (c) not co-locating them on the same subnet (with a /48 you could give many of your vital hosts their own individaul subnet) i.e. fundamentally, don't use subnets as a security domain boundary (d) not setting reverse DNS names that give away what the hosts are for (e) not providing them with globally routable addresses in the first place Obscurity is a cheap and easy first level defence in depth measure. However it'll only fool the stupid and mostly uninterested attacker. Any attacker who's determined will easily bypass this obscurity, via malware, key sniffers, guessable passwords, black bag jobs, theats of violence and bribery. If obscurity is such an effective measure why are zebras also able to run fast and kick hard?
Re: Rate of growth on IPv6 not fast enough?
But none of this does what NAT does for a big enterprise, which is to *hide internal topology*. Yes, addressing the privacy concerns that come from using lower-64-bits-derived-from-MAC-address is required, but it is also necessary (for some organizations) to make it impossible to tell that this host is on the same subnet as that other host, as that would expose information like which host you might want to attack in order to get access to the financial or medical records, as well as whether or not the executive floor is where these interesting website hits came from. Matthew Kaufman Yeh that information leak is one reason I can think of for supporting NAT for IPv6. One of the inherent security issues with unique addresses I suppose. flame-suit-on What makes you think that not using NAT exposes internal topology?? I have many cases where either filtering at layer-2 or NAT'ing a /48 for itself (or proxy-arp for those that do not have kits that can NAT IP blocks as itself) does NOT expose internal topology. Get your filtering correctly setup, and there is no use for NAT/PAT in v6. NAT was designed with one puropose in mind . extending the life of v4... period! The so called security that most think NAT gives them is a side effect. NAT/PAT also breaks several protocols (PASV FTP, H.323, etc) and I for one will be happy to see it go. I think it's a mistake to include NAT in v6 because there are other methodologies of accomplishing all of the side effects that everyone is use to seeing NAT provide without having to actually translate IP's or ports. I for one (as well as alot of other folks I know) am not/will not be using any kind of NAT moving forward. /flame-suit-on
Re: Rate of growth on IPv6 not fast enough?
Matthew Kaufman wrote: But none of this does what NAT does for a big enterprise, which is to *hide internal topology*. Yes, addressing the privacy concerns that come from using lower-64-bits-derived-from-MAC-address is required, but it is also necessary (for some organizations) to make it impossible to tell that this host is on the same subnet as that other host, as that would expose information like which host you might want to attack in order to get access to the financial or medical records, as well as whether or not the executive floor is where these interesting website hits came from. Which is why some firewalls already support NAT for IPv6 in some form or fashion. These same firewalls will also usually have layer 7 proxy/filtering support as well. The concerns and breakage of a corporate network are extreme compared to non-corporate networks. Jack
Re: Rate of growth on IPv6 not fast enough?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4/23/2010 06:17, Clue Store wrote: But none of this does what NAT does for a big enterprise, which is to *hide internal topology*. Yes, addressing the privacy concerns that come from using lower-64-bits-derived-from-MAC-address is required, but it is also necessary (for some organizations) to make it impossible to tell that this host is on the same subnet as that other host, as that would expose information like which host you might want to attack in order to get access to the financial or medical records, as well as whether or not the executive floor is where these interesting website hits came from. Matthew Kaufman Yeh that information leak is one reason I can think of for supporting NAT for IPv6. One of the inherent security issues with unique addresses I suppose. flame-suit-on What makes you think that not using NAT exposes internal topology?? I have many cases where either filtering at layer-2 or NAT'ing a /48 for itself (or proxy-arp for those that do not have kits that can NAT IP blocks as itself) does NOT expose internal topology. Get your filtering correctly setup, and there is no use for NAT/PAT in v6. NAT was designed with one puropose in mind . extending the life of v4... period! The so called security that most think NAT gives them is a side effect. NAT/PAT also breaks several protocols (PASV FTP, H.323, etc) and I for one will be happy to see it go. I think it's a mistake to include NAT in v6 because there are other methodologies of accomplishing all of the side effects that everyone is use to seeing NAT provide without having to actually translate IP's or ports. I for one (as well as alot of other folks I know) am not/will not be using any kind of NAT moving forward. /flame-suit-on I'm not really advocating NAT for v6. I'm just saying it's one valid security issue with using any sort of globally unique IP address (v4 or v6), in that analyzing a bunch of traffic from a particular netblock would allow one to build a topology map. It's easier with IPv6 since you can presume most if not all addresses are on /64s out of a /48 (so look to the fourth quad for the subnet ID). Obviously if someone is super concerned with revealing this sort of info there are other things besides NAT they can do, such as using a proxy server(s) for various internet applications, transparent proxies, etc. But it is a valid security concern for some. Also, is that your real name? ;-) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvRozwACgkQ2fXFxl4S7sSACQCfeRfk5VmKjkW2SYkn/gZl53Ng Q0cAoKsQTGdTTBaEg1paE44yTNVy2OSQ =WAPA -END PGP SIGNATURE-
Re: Rate of growth on IPv6 not fast enough?
I'm just saying it's one valid security issue with using any sort of globally unique IP address (v4 or v6), in that analyzing a bunch of traffic from a particular netblock would allow one to build a topology map. It's easier with IPv6 since you can presume most if not all addresses are on /64s out of a /48 (so look to the fourth quad for the subnet ID). I understand and totally agree. Obviously if someone is super concerned with revealing this sort of info there are other things besides NAT they can do, such as using a proxy server(s) for various internet applications, transparent proxies, etc. But it is a valid security concern for some. Could not agree more which is why I stated that there are other ways of accomplishing the hiding internal topology using other methodoligies. NAT/PAT has caused me many headaches which is why I am so opposed to using it. Also, is that your real name? ;-) No, but this list is great for buying and selling clue. In today's market, clue is equivalent to gold. :)
Re: Rate of growth on IPv6 not fast enough?
On Apr 23, 2010, at 6:17 AM, Jack Bates wrote: Matthew Kaufman wrote: But none of this does what NAT does for a big enterprise, which is to *hide internal topology*. Yes, addressing the privacy concerns that come from using lower-64-bits-derived-from-MAC-address is required, but it is also necessary (for some organizations) to make it impossible to tell that this host is on the same subnet as that other host, as that would expose information like which host you might want to attack in order to get access to the financial or medical records, as well as whether or not the executive floor is where these interesting website hits came from. Which is why some firewalls already support NAT for IPv6 in some form or fashion. These same firewalls will also usually have layer 7 proxy/filtering support as well. The concerns and breakage of a corporate network are extreme compared to non-corporate networks. Jack That is sad news, indeed. Hopefully it won't lead to NAT-T becoming a common part of software as the ISVs catch on to IPv6. Owen
Re: Rate of growth on IPv6 not fast enough?
On Apr 23, 2010, at 9:17 AM, Clue Store wrote: But none of this does what NAT does for a big enterprise, which is to *hide internal topology*. Yes, addressing the privacy concerns that come from using lower-64-bits-derived-from-MAC-address is required, but it is also necessary (for some organizations) to make it impossible to tell that this host is on the same subnet as that other host, as that would expose information like which host you might want to attack in order to get access to the financial or medical records, as well as whether or not the executive floor is where these interesting website hits came from. Matthew Kaufman Yeh that information leak is one reason I can think of for supporting NAT for IPv6. One of the inherent security issues with unique addresses I suppose. flame-suit-on What makes you think that not using NAT exposes internal topology?? Or that internal topology cannot leak out through NAT's ? I have seen NATed enterprises become massively compromised. Regards Marshall I have many cases where either filtering at layer-2 or NAT'ing a /48 for itself (or proxy-arp for those that do not have kits that can NAT IP blocks as itself) does NOT expose internal topology. Get your filtering correctly setup, and there is no use for NAT/PAT in v6. NAT was designed with one puropose in mind . extending the life of v4... period! The so called security that most think NAT gives them is a side effect. NAT/PAT also breaks several protocols (PASV FTP, H.323, etc) and I for one will be happy to see it go. I think it's a mistake to include NAT in v6 because there are other methodologies of accomplishing all of the side effects that everyone is use to seeing NAT provide without having to actually translate IP's or ports. I for one (as well as alot of other folks I know) am not/will not be using any kind of NAT moving forward. /flame-suit-on
Re: Rate of growth on IPv6 not fast enough?
What makes you think that not using NAT exposes internal topology??
Or that internal topology cannot leak out through NAT's ? I have seen
NATed enterprises
become massively compromised.
NAT allows people to become far too lazy. Your typical NAT allows
connections outbound, typically configured without any audit trail,
etc., so once a bad guy is inside the secure NAT firewall, they're
free to connect out to the 'net.
In comparison, an actual real firewall can prohibit {most, all}
outbound access and force the use of proxies. Proxies can provide
logging, content scanning, etc., services.
Many times, those who argue in favor of NAT as a firewall are the
same ones who seem to actually be relying on the NAT as inbound
protection, but who aren't really doing anything to control their
outbound traffic, or IDS, etc.
... JG
--
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.
Re: Rate of growth on IPv6 not fast enough?
On Thu, 22 Apr 2010 07:18:18 -0400 William Herrin b...@herrin.us wrote: On Wed, Apr 21, 2010 at 11:31 PM, Owen DeLong o...@delong.com wrote: On Apr 21, 2010, at 3:26 PM, Roger Marquis wrote: William Herrin wrote: Not to take issue with either statement in particular, but I think there needs to be some consideration of what fail means. Fail means that an inexperienced admin drops a router in place of the firewall to work around a priority problem while the senior engineer is on vacation. With NAT protecting unroutable addresses, that failure mode fails closed. In addition to fail-closed NAT also means: * search engines and and connectivity providers cannot (easily) differentiate and/or monitor your internal hosts, and Right, because nobody has figured out Javascript and Cookies. Having worked for comScore, I can tell you that having a fixed address in the lower 64 bits would make their jobs oh so much easier. Cookies and javascript are of very limited utility. On the other hand, I could swear I've seen a draft where the PC picks up random unused addresses in the lower 64 for each new outbound connection for anonymity purposes. Even if there is no such draft, it wouldn't exactly be hard to implement. It won't take NAT to anonymize the PCs on a LAN with IPv6. Might be this - Transient addressing for related processes: Improved firewalling by using IPv6 and multiple addresses per host. by Peter M. Gleitz and Steven M. Bellovin (i.e. the Steven Bellovin who shows up on this list quite often) http://www.cs.columbia.edu/~smb/papers/tarp.pdf * multiple routes do not have to be announced or otherwise accommodated by internal re-addressing. I fail to see how NAT even affects this in a properly structured network. That's your failure, not Roger's. As delivered, IPv6 is capable of dynamically assigning addresses from multiple subnets to a PC, but that's where the support for multiple-PA multihoming stops. PCs don't do so well at using more than one of those addresses at a time for outbound connections. As a number of vendors have done with IPv4, an IPv6 NAT box at the network border can spread outbound connections between multiply addressed upstream links. On Thu, Apr 22, 2010 at 2:10 AM, Franck Martin fra...@genius.com wrote: http://www.ipinc.net/IPv4.GIF The energy that people are willing to spend to fix it (NAT, LSN), rather than bite the bullet is amazing. A friend of mine drives a 1976 Cadillac El Dorado. I asked him why once. He explained that even at 8 miles to the gallon and even after having to find 1970's parts for it, he can't get anything close to as luxurious a car from the more modern offerings at anything close to the comparatively small amount of money he spends. The thing has plush leather seats that feel like sinking in to a comfy couch and an engine with more horsepower than my mustang gt. It isn't hard to see his point. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: Rate of growth on IPv6 not fast enough?
On Thu, 22 Apr 2010 10:25:43 -0500 Larry Sheldon larryshel...@cox.net wrote: On 4/22/2010 10:17, Charles Mills wrote: I think he was actually quoting the movie. They always called Harvey Korman's character Hedy and he'd always correct them with That's Hedley in a most disapproving tone. Oh. The only thing I watch less-of than TV is movies. Saydid they ever make a sequel to Crocodile Dundee? -- Yep. Every Australian has probably seen that too. http://www.imdb.com/title/tt0092493/ (you have no idea how big our butter knives are these days, all because of that movie) Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Re: Rate of growth on IPv6 not fast enough?
On Thu, 22 Apr 2010 18:10:10 +1200 (MAGST) Franck Martin fra...@genius.com wrote: The whole thread made me thought about this: http://www.ipinc.net/IPv4.GIF The energy that people are willing to spend to fix it (NAT, LSN), rather than bite the bullet is amazing. Probably and sadly, they don't remember the Internet before NAT. I think Brantley Colie has somewhat redeemed himself by inventing ATA over Ethernet. http://www.coraid.com/COMPANY/Management Also, sadly, even though I'm an strong IPv6 advocate, I think a period of LSN/GCN is inevitable. There's now not enough time to properly convert from IPv4 to IPv6, and, also sadly, Jon Postel isn't around anymore to make subtle and veiled threats of loss of connectivity .. (http://www.rfc-editor.org/in-notes/museum/tcp-ip-digest/tcp-ip-digest.v1n6.1) -- From: POSTEL at USC-ISIF Subject: Disabling NCPs There has been some talk of forcing the move to TCP by various administrative and policy measures. There was also a claim that there was no technical way to force the abandonment of NCP. It should be pointed out that a quite simple modification to the IMP program would enable the IMPs to filter out and discard all NCP traffic. As far as i know, there has been no decision to do this, but you should be aware that it is technical feasible. --jon. --
Re: Rate of growth on IPv6 not fast enough?
Jack Bates wrote: Matthew Kaufman wrote: But none of this does what NAT does for a big enterprise, which is to *hide internal topology*. Yes, addressing the privacy concerns that come from using lower-64-bits-derived-from-MAC-address is required, but it is also necessary (for some organizations) to make it impossible to tell that this host is on the same subnet as that other host, as that would expose information like which host you might want to attack in order to get access to the financial or medical records, as well as whether or not the executive floor is where these interesting website hits came from. Which is why some firewalls already support NAT for IPv6 in some form or fashion. These same firewalls will also usually have layer 7 proxy/filtering support as well. The concerns and breakage of a corporate network are extreme compared to non-corporate networks. Agreed on the last point. And I'm following up mostly because I've received quite a few private messages that resulted from folks interpreting hide internal topology as block access to internal topology (which can be done with filters). What I mean when I say hide internal topology is that a passive observer on the outside, looking at something like web server access logs, cannot tell how many subnets are inside the corporation or which accesses come from which subnets. (And preferably, cannot tell whether or not two different accesses came from the same host or different hosts simply by examining the IP addresses... but yes, application-level cooperation -- in the form of a browser which keeps cookies, as an example -- can again expose that type of information) Matthew Kaufman
Re: Rate of growth on IPv6 not fast enough?
Matthew Kaufman wrote: Jack Bates wrote: Matthew Kaufman wrote: But none of this does what NAT does for a big enterprise, which is to *hide internal topology*. Yes, addressing the privacy concerns that come from using lower-64-bits-derived-from-MAC-address is required, but it is also necessary (for some organizations) to make it impossible to tell that this host is on the same subnet as that other host, as that would expose information like which host you might want to attack in order to get access to the financial or medical records, as well as whether or not the executive floor is where these interesting website hits came from. Which is why some firewalls already support NAT for IPv6 in some form or fashion. These same firewalls will also usually have layer 7 proxy/filtering support as well. The concerns and breakage of a corporate network are extreme compared to non-corporate networks. Agreed on the last point. And I'm following up mostly because I've received quite a few private messages that resulted from folks interpreting hide internal topology as block access to internal topology (which can be done with filters). What I mean when I say hide internal topology is that a passive observer on the outside, looking at something like web server access logs, cannot tell how many subnets are inside the corporation or which accesses come from which subnets. (And preferably, cannot tell whether or not two different accesses came from the same host or different hosts simply by examining the IP addresses... but yes, application-level cooperation -- in the form of a browser which keeps cookies, as an example -- can again expose that type of information) And to further clarify, I don't think hide internal topology is actually something that needs to happen (and can show several ways in which it can be completely violated, including using the browser and/or browser plugins to extract the internal addresses and send them to a server somewhere which can map it all out). But it *is* present as a mandatory checklist item on at least one HIPPA and two SOX audit checklists I've seen,.. and IT departments in major corporations care much more these days about getting a clean SOX audit than they do about providing connectivity... and given how each affects the stock price, that's not surprising. Matthew Kaufman
Re: Rate of growth on IPv6 not fast enough?
On Apr 23, 2010, at 10:34 AM, Matthew Kaufman wrote: Matthew Kaufman wrote: Jack Bates wrote: Matthew Kaufman wrote: But none of this does what NAT does for a big enterprise, which is to *hide internal topology*. Yes, addressing the privacy concerns that come from using lower-64-bits-derived-from-MAC-address is required, but it is also necessary (for some organizations) to make it impossible to tell that this host is on the same subnet as that other host, as that would expose information like which host you might want to attack in order to get access to the financial or medical records, as well as whether or not the executive floor is where these interesting website hits came from. Which is why some firewalls already support NAT for IPv6 in some form or fashion. These same firewalls will also usually have layer 7 proxy/filtering support as well. The concerns and breakage of a corporate network are extreme compared to non-corporate networks. Agreed on the last point. And I'm following up mostly because I've received quite a few private messages that resulted from folks interpreting hide internal topology as block access to internal topology (which can be done with filters). What I mean when I say hide internal topology is that a passive observer on the outside, looking at something like web server access logs, cannot tell how many subnets are inside the corporation or which accesses come from which subnets. (And preferably, cannot tell whether or not two different accesses came from the same host or different hosts simply by examining the IP addresses... but yes, application-level cooperation -- in the form of a browser which keeps cookies, as an example -- can again expose that type of information) And to further clarify, I don't think hide internal topology is actually something that needs to happen (and can show several ways in which it can be completely violated, including using the browser and/or browser plugins to extract the internal addresses and send them to a server somewhere which can map it all out). But it *is* present as a mandatory checklist item on at least one HIPPA and two SOX audit checklists I've seen,.. and IT departments in major corporations care much more these days about getting a clean SOX audit than they do about providing connectivity... and given how each affects the stock price, that's not surprising. Matthew Kaufman Yes, much education is required to the audit community. Owen
Re: Rate of growth on IPv6 not fast enough?
On Apr 23, 2010, at 10:16 AM, Matthew Kaufman wrote: Jack Bates wrote: Matthew Kaufman wrote: But none of this does what NAT does for a big enterprise, which is to *hide internal topology*. Yes, addressing the privacy concerns that come from using lower-64-bits-derived-from-MAC-address is required, but it is also necessary (for some organizations) to make it impossible to tell that this host is on the same subnet as that other host, as that would expose information like which host you might want to attack in order to get access to the financial or medical records, as well as whether or not the executive floor is where these interesting website hits came from. Which is why some firewalls already support NAT for IPv6 in some form or fashion. These same firewalls will also usually have layer 7 proxy/filtering support as well. The concerns and breakage of a corporate network are extreme compared to non-corporate networks. Agreed on the last point. And I'm following up mostly because I've received quite a few private messages that resulted from folks interpreting hide internal topology as block access to internal topology (which can be done with filters). What I mean when I say hide internal topology is that a passive observer on the outside, looking at something like web server access logs, cannot tell how many subnets are inside the corporation or which accesses come from which subnets. (And preferably, cannot tell whether or not two different accesses came from the same host or different hosts simply by examining the IP addresses... but yes, application-level cooperation -- in the form of a browser which keeps cookies, as an example -- can again expose that type of information) So can TCP fingerprinting and several other techniques. Finally, the belief that hiding the number of subnets or which hosts share subnets is a meaningful enhancement to security is dubious at best. Owen
Re: Rate of growth on IPv6 not fast enough?
Owen DeLong wrote: On Apr 23, 2010, at 10:16 AM, Matthew Kaufman wrote: Jack Bates wrote: Matthew Kaufman wrote: But none of this does what NAT does for a big enterprise, which is to *hide internal topology*. Yes, addressing the privacy concerns that come from using lower-64-bits-derived-from-MAC-address is required, but it is also necessary (for some organizations) to make it impossible to tell that this host is on the same subnet as that other host, as that would expose information like which host you might want to attack in order to get access to the financial or medical records, as well as whether or not the executive floor is where these interesting website hits came from. Which is why some firewalls already support NAT for IPv6 in some form or fashion. These same firewalls will also usually have layer 7 proxy/filtering support as well. The concerns and breakage of a corporate network are extreme compared to non-corporate networks. Agreed on the last point. And I'm following up mostly because I've received quite a few private messages that resulted from folks interpreting hide internal topology as block access to internal topology (which can be done with filters). What I mean when I say hide internal topology is that a passive observer on the outside, looking at something like web server access logs, cannot tell how many subnets are inside the corporation or which accesses come from which subnets. (And preferably, cannot tell whether or not two different accesses came from the same host or different hosts simply by examining the IP addresses... but yes, application-level cooperation -- in the form of a browser which keeps cookies, as an example -- can again expose that type of information) So can TCP fingerprinting and several other techniques. Finally, the belief that hiding the number of subnets or which hosts share subnets is a meaningful enhancement to security is dubious at best. Agreed, but see my own followup to myself. Entirely dubious, and yet entirely required by audit checklists which feed up into SEC reporting which affects stock prices. Matthew Kaufman
Re: Rate of growth on IPv6 not fast enough?
The whole thread made me thought about this: http://www.ipinc.net/IPv4.GIF The energy that people are willing to spend to fix it (NAT, LSN), rather than bite the bullet is amazing.
Re: Rate of growth on IPv6 not fast enough?
On Wed, Apr 21, 2010 at 11:31 PM, Owen DeLong o...@delong.com wrote: On Apr 21, 2010, at 3:26 PM, Roger Marquis wrote: William Herrin wrote: Not to take issue with either statement in particular, but I think there needs to be some consideration of what fail means. Fail means that an inexperienced admin drops a router in place of the firewall to work around a priority problem while the senior engineer is on vacation. With NAT protecting unroutable addresses, that failure mode fails closed. In addition to fail-closed NAT also means: * search engines and and connectivity providers cannot (easily) differentiate and/or monitor your internal hosts, and Right, because nobody has figured out Javascript and Cookies. Having worked for comScore, I can tell you that having a fixed address in the lower 64 bits would make their jobs oh so much easier. Cookies and javascript are of very limited utility. On the other hand, I could swear I've seen a draft where the PC picks up random unused addresses in the lower 64 for each new outbound connection for anonymity purposes. Even if there is no such draft, it wouldn't exactly be hard to implement. It won't take NAT to anonymize the PCs on a LAN with IPv6. * multiple routes do not have to be announced or otherwise accommodated by internal re-addressing. I fail to see how NAT even affects this in a properly structured network. That's your failure, not Roger's. As delivered, IPv6 is capable of dynamically assigning addresses from multiple subnets to a PC, but that's where the support for multiple-PA multihoming stops. PCs don't do so well at using more than one of those addresses at a time for outbound connections. As a number of vendors have done with IPv4, an IPv6 NAT box at the network border can spread outbound connections between multiply addressed upstream links. On Thu, Apr 22, 2010 at 2:10 AM, Franck Martin fra...@genius.com wrote: http://www.ipinc.net/IPv4.GIF The energy that people are willing to spend to fix it (NAT, LSN), rather than bite the bullet is amazing. A friend of mine drives a 1976 Cadillac El Dorado. I asked him why once. He explained that even at 8 miles to the gallon and even after having to find 1970's parts for it, he can't get anything close to as luxurious a car from the more modern offerings at anything close to the comparatively small amount of money he spends. The thing has plush leather seats that feel like sinking in to a comfy couch and an engine with more horsepower than my mustang gt. It isn't hard to see his point. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: Rate of growth on IPv6 not fast enough?
On the other hand, I could swear I've seen a draft where the PC picks up random unused addresses in the lower 64 for each new outbound connection for anonymity purposes. Even if there is no such draft, it wouldn't exactly be hard to implement. It won't take NAT to anonymize the PCs on a LAN with IPv6. the idea is covered by one or more patents held by cisco. --bill Regards, Bill Herrin
Re: Rate of growth on IPv6 not fast enough?
On Thu, Apr 22, 2010 at 7:30 AM, bmann...@vacation.karoshi.com wrote: On the other hand, I could swear I've seen a draft where the PC picks up random unused addresses in the lower 64 for each new outbound connection for anonymity purposes. Even if there is no such draft, it wouldn't exactly be hard to implement. It won't take NAT to anonymize the PCs on a LAN with IPv6. the idea is covered by one or more patents held by cisco. Won't stop the worms from using it to hide which PC they're living on. -Bill -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: Rate of growth on IPv6 not fast enough?
On Thu, Apr 22, 2010 at 07:46:50AM -0400, William Herrin wrote: On Thu, Apr 22, 2010 at 7:30 AM, bmann...@vacation.karoshi.com wrote: On the other hand, I could swear I've seen a draft where the PC picks up random unused addresses in the lower 64 for each new outbound connection for anonymity purposes. Even if there is no such draft, it wouldn't exactly be hard to implement. It won't take NAT to anonymize the PCs on a LAN with IPv6. the idea is covered by one or more patents held by cisco. Won't stop the worms from using it to hide which PC they're living on. no... but then you just block the /32 and your fine... :) kind of like how people now block /8s for ranges that are messy --bill
Re: Rate of growth on IPv6 not fast enough?
On 2010-04-22 07:18, William Herrin wrote: On the other hand, I could swear I've seen a draft where the PC picks up random unused addresses in the lower 64 for each new outbound connection for anonymity purposes. That's probably RFC 4941. It's available in pretty much all operating systems. I don't think there's any IPR issue to be afraid of. Simon -- NAT64/DNS64 open-source -- http://ecdysis.viagenie.ca STUN/TURN server-- http://numb.viagenie.ca vCard 4.0 -- http://www.vcarddav.org
Re: Rate of growth on IPv6 not fast enough?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4/22/2010 05:34, Simon Perreault wrote: On 2010-04-22 07:18, William Herrin wrote: On the other hand, I could swear I've seen a draft where the PC picks up random unused addresses in the lower 64 for each new outbound connection for anonymity purposes. That's probably RFC 4941. It's available in pretty much all operating systems. I don't think there's any IPR issue to be afraid of. Simon I think this is different. They're talking about using a new IPv6 for each connection. RFC4941 just changes it over time IIRC. IMHO that's still pretty good privacy, at least on par with a NATed IPv4 from the outside perspective, especially if you rotated through temporary IPv6s fairly frequently. Of course, for browsers, as someone else mentioned, it's somewhat moot because of cookies. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvQR1IACgkQ2fXFxl4S7sT0agCglqjxX9d2kYuadrreIqPo5+rN FMAAniW1GodHwArieT/Czd96aMGQTgEF =xYjP -END PGP SIGNATURE-
Re: Rate of growth on IPv6 not fast enough?
On Thu, 22 Apr 2010, William Herrin wrote: On Wed, Apr 21, 2010 at 11:31 PM, Owen DeLong o...@delong.com wrote: On Apr 21, 2010, at 3:26 PM, Roger Marquis wrote: William Herrin wrote: Not to take issue with either statement in particular, but I think there needs to be some consideration of what fail means. Fail means that an inexperienced admin drops a router in place of the firewall to work around a priority problem while the senior engineer is on vacation. With NAT protecting unroutable addresses, that failure mode fails closed. In addition to fail-closed NAT also means: * search engines and and connectivity providers cannot (easily) differentiate and/or monitor your internal hosts, and Right, because nobody has figured out Javascript and Cookies. Having worked for comScore, I can tell you that having a fixed address in the lower 64 bits would make their jobs oh so much easier. Cookies and javascript are of very limited utility. On the other hand, I could swear I've seen a draft where the PC picks up random unused addresses in the lower 64 for each new outbound connection for anonymity purposes. Even if there is no such draft, it wouldn't exactly be hard to implement. It won't take NAT to anonymize the PCs on a LAN with IPv6. See RFC 4941: Privacy Extensions for Stateless Address Autoconfiguration in IPv6. Regards, Janos Mohacsi
Re: Rate of growth on IPv6 not fast enough?
On Thu, Apr 22, 2010 at 08:34:20AM -0400, Simon Perreault wrote: On 2010-04-22 07:18, William Herrin wrote: On the other hand, I could swear I've seen a draft where the PC picks up random unused addresses in the lower 64 for each new outbound connection for anonymity purposes. That's probably RFC 4941. It's available in pretty much all operating systems. I don't think there's any IPR issue to be afraid of. not RFC4941... think abt applying Heddy Lamars patents on spread-spectrum to source address selection. --bill
RE: Rate of growth on IPv6 not fast enough?
That's Hedley. -Original Message- From: bmann...@vacation.karoshi.com [mailto:bmann...@vacation.karoshi.com] Sent: Thursday, April 22, 2010 10:34 AM To: Simon Perreault Cc: nanog@nanog.org Subject: Re: Rate of growth on IPv6 not fast enough? On Thu, Apr 22, 2010 at 08:34:20AM -0400, Simon Perreault wrote: On 2010-04-22 07:18, William Herrin wrote: On the other hand, I could swear I've seen a draft where the PC picks up random unused addresses in the lower 64 for each new outbound connection for anonymity purposes. That's probably RFC 4941. It's available in pretty much all operating systems. I don't think there's any IPR issue to be afraid of. not RFC4941... think abt applying Heddy Lamars patents on spread-spectrum to source address selection. --bill
RE: Rate of growth on IPv6 not fast enough?
Actually, no. Not from the Mel Brooks movie. Hedy Lamarr http://en.wikipedia.org/wiki/Hedy_Lamarr Hedy Lamarr (November 9, 1914 - January 19, 2000) was an Austrian-born American actress and engineer. Though known primarily for her film career as a major contract star of MGM's Golden Age, she also co-invented an early form of spread spectrum communications technology, a key to modern wireless communication.[1] Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -Original Message- From: John Lightfoot [mailto:jlightf...@gmail.com] Sent: Thursday, April 22, 2010 11:05 AM To: bmann...@vacation.karoshi.com; 'Simon Perreault' Cc: nanog@nanog.org Subject: RE: Rate of growth on IPv6 not fast enough? That's Hedley. -Original Message- From: bmann...@vacation.karoshi.com [mailto:bmann...@vacation.karoshi.com] Sent: Thursday, April 22, 2010 10:34 AM To: Simon Perreault Cc: nanog@nanog.org Subject: Re: Rate of growth on IPv6 not fast enough? On Thu, Apr 22, 2010 at 08:34:20AM -0400, Simon Perreault wrote: On 2010-04-22 07:18, William Herrin wrote: On the other hand, I could swear I've seen a draft where the PC picks up random unused addresses in the lower 64 for each new outbound connection for anonymity purposes. That's probably RFC 4941. It's available in pretty much all operating systems. I don't think there's any IPR issue to be afraid of. not RFC4941... think abt applying Heddy Lamars patents on spread-spectrum to source address selection. --bill attachment: Matthew Huff.vcf
Re: Rate of growth on IPv6 not fast enough?
On 4/22/2010 10:04, John Lightfoot wrote: That's Hedley. -Original Message- From: bmann...@vacation.karoshi.com [mailto:bmann...@vacation.karoshi.com] Sent: Thursday, April 22, 2010 10:34 AM To: Simon Perreault Cc: nanog@nanog.org Subject: Re: Rate of growth on IPv6 not fast enough? On Thu, Apr 22, 2010 at 08:34:20AM -0400, Simon Perreault wrote: On 2010-04-22 07:18, William Herrin wrote: On the other hand, I could swear I've seen a draft where the PC picks up random unused addresses in the lower 64 for each new outbound connection for anonymity purposes. That's probably RFC 4941. It's available in pretty much all operating systems. I don't think there's any IPR issue to be afraid of. not RFC4941... think abt applying Heddy Lamars patents on spread-spectrum to source address selection. Hedwig Eva Maria Kiesler aka Hedy Lamarr -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Re: Rate of growth on IPv6 not fast enough?
I think he was actually quoting the movie. They always called Harvey Korman's character Hedy and he'd always correct them with That's Hedley in a most disapproving tone. You had to have watched that movie way too many times (much to my wife's chagrin) to catch the subtle joke. On Thu, Apr 22, 2010 at 11:10 AM, Matthew Huff mh...@ox.com wrote: Actually, no. Not from the Mel Brooks movie. Hedy Lamarr http://en.wikipedia.org/wiki/Hedy_Lamarr Hedy Lamarr (November 9, 1914 - January 19, 2000) was an Austrian-born American actress and engineer. Though known primarily for her film career as a major contract star of MGM's Golden Age, she also co-invented an early form of spread spectrum communications technology, a key to modern wireless communication.[1] Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -Original Message- From: John Lightfoot [mailto:jlightf...@gmail.com] Sent: Thursday, April 22, 2010 11:05 AM To: bmann...@vacation.karoshi.com; 'Simon Perreault' Cc: nanog@nanog.org Subject: RE: Rate of growth on IPv6 not fast enough? That's Hedley. -Original Message- From: bmann...@vacation.karoshi.com [mailto:bmann...@vacation.karoshi.com] Sent: Thursday, April 22, 2010 10:34 AM To: Simon Perreault Cc: nanog@nanog.org Subject: Re: Rate of growth on IPv6 not fast enough? On Thu, Apr 22, 2010 at 08:34:20AM -0400, Simon Perreault wrote: On 2010-04-22 07:18, William Herrin wrote: On the other hand, I could swear I've seen a draft where the PC picks up random unused addresses in the lower 64 for each new outbound connection for anonymity purposes. That's probably RFC 4941. It's available in pretty much all operating systems. I don't think there's any IPR issue to be afraid of. not RFC4941... think abt applying Heddy Lamars patents on spread-spectrum to source address selection. --bill
Re: Rate of growth on IPv6 not fast enough?
On Apr 22, 2010, at 11:04 AM, John Lightfoot wrote: That's Hedley. I believe that he is talking about Hedy Lamarr, the co-inventor of frequency hopping spread spectrum. Regards Marshall -Original Message- From: bmann...@vacation.karoshi.com [mailto:bmann...@vacation.karoshi.com ] Sent: Thursday, April 22, 2010 10:34 AM To: Simon Perreault Cc: nanog@nanog.org Subject: Re: Rate of growth on IPv6 not fast enough? On Thu, Apr 22, 2010 at 08:34:20AM -0400, Simon Perreault wrote: On 2010-04-22 07:18, William Herrin wrote: On the other hand, I could swear I've seen a draft where the PC picks up random unused addresses in the lower 64 for each new outbound connection for anonymity purposes. That's probably RFC 4941. It's available in pretty much all operating systems. I don't think there's any IPR issue to be afraid of. not RFC4941... think abt applying Heddy Lamars patents on spread-spectrum to source address selection. --bill
Re: Rate of growth on IPv6 not fast enough?
On 4/22/2010 10:17, Charles Mills wrote: I think he was actually quoting the movie. They always called Harvey Korman's character Hedy and he'd always correct them with That's Hedley in a most disapproving tone. Oh. The only thing I watch less-of than TV is movies. Saydid they ever make a sequel to Crocodile Dundee? -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Re: Rate of growth on IPv6 not fast enough?
--- j...@jsbc.cc wrote: From: Jim Burwell j...@jsbc.cc I think this is different. They're talking about using a new IPv6 for each connection. RFC4941 just changes it over time IIRC. IMHO that's still pretty good privacy, at least on par with a NATed IPv4 from the outside perspective, especially if you rotated through temporary IPv6s fairly frequently. Of course, for browsers, as someone else mentioned, it's somewhat moot because of cookies. Manage your cookies. preferences = privacy security = cookies = select ask for each cookie Noisy in the beginning and then settles down after a while. Surprising, though, in what is tracked, so it's worth doing for a while just to observe. Oh, yeah, also manage your Flash cookies: http://macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html scott
Re: Rate of growth on IPv6 not fast enough?
On Apr 22, 2010, at 4:30 AM, bmann...@vacation.karoshi.com wrote: On the other hand, I could swear I've seen a draft where the PC picks up random unused addresses in the lower 64 for each new outbound connection for anonymity purposes. Even if there is no such draft, it wouldn't exactly be hard to implement. It won't take NAT to anonymize the PCs on a LAN with IPv6. the idea is covered by one or more patents held by cisco. --bill Regards, Bill Herrin It's default behavior in Windows 7 and is specified in an RFC. Look for IPv6 Privacy Addressing. Owen
Re: Rate of growth on IPv6 not fast enough?
On Apr 22, 2010, at 5:55 AM, Jim Burwell wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4/22/2010 05:34, Simon Perreault wrote: On 2010-04-22 07:18, William Herrin wrote: On the other hand, I could swear I've seen a draft where the PC picks up random unused addresses in the lower 64 for each new outbound connection for anonymity purposes. That's probably RFC 4941. It's available in pretty much all operating systems. I don't think there's any IPR issue to be afraid of. Simon I think this is different. They're talking about using a new IPv6 for each connection. RFC4941 just changes it over time IIRC. IMHO that's still pretty good privacy, at least on par with a NATed IPv4 from the outside perspective, especially if you rotated through temporary IPv6s fairly frequently. 4941 specified changing over time as one possibility. It does allow for per flow or any other host based determination of when it needs a new address. Owen
Re: Rate of growth on IPv6 not fast enough?
Owen DeLong wrote: On Apr 22, 2010, at 5:55 AM, Jim Burwell wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4/22/2010 05:34, Simon Perreault wrote: On 2010-04-22 07:18, William Herrin wrote: On the other hand, I could swear I've seen a draft where the PC picks up random unused addresses in the lower 64 for each new outbound connection for anonymity purposes. That's probably RFC 4941. It's available in pretty much all operating systems. I don't think there's any IPR issue to be afraid of. Simon I think this is different. They're talking about using a new IPv6 for each connection. RFC4941 just changes it over time IIRC. IMHO that's still pretty good privacy, at least on par with a NATed IPv4 from the outside perspective, especially if you rotated through temporary IPv6s fairly frequently. 4941 specified changing over time as one possibility. It does allow for per flow or any other host based determination of when it needs a new address. Owen But none of this does what NAT does for a big enterprise, which is to *hide internal topology*. Yes, addressing the privacy concerns that come from using lower-64-bits-derived-from-MAC-address is required, but it is also necessary (for some organizations) to make it impossible to tell that this host is on the same subnet as that other host, as that would expose information like which host you might want to attack in order to get access to the financial or medical records, as well as whether or not the executive floor is where these interesting website hits came from. Matthew Kaufman
Re: Rate of growth on IPv6 not fast enough?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4/22/2010 22:00, Owen DeLong wrote: On Apr 22, 2010, at 5:55 AM, Jim Burwell wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4/22/2010 05:34, Simon Perreault wrote: On 2010-04-22 07:18, William Herrin wrote: On the other hand, I could swear I've seen a draft where the PC picks up random unused addresses in the lower 64 for each new outbound connection for anonymity purposes. That's probably RFC 4941. It's available in pretty much all operating systems. I don't think there's any IPR issue to be afraid of. Simon I think this is different. They're talking about using a new IPv6 for each connection. RFC4941 just changes it over time IIRC. IMHO that's still pretty good privacy, at least on par with a NATed IPv4 from the outside perspective, especially if you rotated through temporary IPv6s fairly frequently. 4941 specified changing over time as one possibility. It does allow for per flow or any other host based determination of when it needs a new address. Owen K. Can't say I've read the RFC all the way through (skimmed it). Current implementations do the time thing. XP, Vista, and 7 seem to have it turned on by default. *nix has support via the net.ipv6.conf.all.use_tempaddr=2 variable, typically not on by default. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvRLkUACgkQ2fXFxl4S7sQ2YgCg3uSkp1GNxcgjCDVc1jxnDv7s DtoAniXH8nND7+r6xEFJXGHrRJ77CBkZ =eSHI -END PGP SIGNATURE-
Re: Rate of growth on IPv6 not fast enough?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4/22/2010 22:18, Matthew Kaufman wrote: Owen DeLong wrote: On Apr 22, 2010, at 5:55 AM, Jim Burwell wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4/22/2010 05:34, Simon Perreault wrote: On 2010-04-22 07:18, William Herrin wrote: On the other hand, I could swear I've seen a draft where the PC picks up random unused addresses in the lower 64 for each new outbound connection for anonymity purposes. That's probably RFC 4941. It's available in pretty much all operating systems. I don't think there's any IPR issue to be afraid of. Simon I think this is different. They're talking about using a new IPv6 for each connection. RFC4941 just changes it over time IIRC. IMHO that's still pretty good privacy, at least on par with a NATed IPv4 from the outside perspective, especially if you rotated through temporary IPv6s fairly frequently. 4941 specified changing over time as one possibility. It does allow for per flow or any other host based determination of when it needs a new address. Owen But none of this does what NAT does for a big enterprise, which is to *hide internal topology*. Yes, addressing the privacy concerns that come from using lower-64-bits-derived-from-MAC-address is required, but it is also necessary (for some organizations) to make it impossible to tell that this host is on the same subnet as that other host, as that would expose information like which host you might want to attack in order to get access to the financial or medical records, as well as whether or not the executive floor is where these interesting website hits came from. Matthew Kaufman Yeh that information leak is one reason I can think of for supporting NAT for IPv6. One of the inherent security issues with unique addresses I suppose. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvRMCsACgkQ2fXFxl4S7sShwACgpZEd1rQD+/+dxonkOVpwPaUj oBIAoOJ78A5Yvftfz+JPjGWWQoVhb6F8 =oQHv -END PGP SIGNATURE-
Re: Rate of growth on IPv6 not fast enough?
John Levine jo...@iecc.com writes: I'm not saying that NAT is wonderful, but my experience, in which day to day stuff all works fine, is utterly different from the doom and disaster routinely predicted here. Ever tried too troubleshoot networks which where using multiple NAT? Every time I have to I'll have the urge to get really drunk afterwards. And when ISPs start using NAT for their customers, there will be more problems leading to more support calls. Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: Rate of growth on IPv6 not fast enough?
On Tue, 20 Apr 2010 21:16:10 -0700 Owen DeLong o...@delong.com wrote: Frankly, when you hear people strongly using the argument stateful firewalling == NAT, you start to wonder if they've ever seen a stateful firewall using public addresses. I've run several of them. My comment wasn't a reply to you, more of a general comment about the surprising effort you still need to go to explain that stateful firewalling doesn't mandate NAT. I sometimes wonder if some people's heads would explode if I told them that this PC is directly attached to the Internet, has both public IPv4 and IPv6 addresses, and is performing stateful firewalling - with no NAT anywhere. Regards, Mark.
Re: Rate of growth on IPv6 not fast enough?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4/21/2010 03:38, Mark Smith wrote: On Tue, 20 Apr 2010 21:16:10 -0700 Owen DeLong o...@delong.com wrote: Frankly, when you hear people strongly using the argument stateful firewalling == NAT, you start to wonder if they've ever seen a stateful firewall using public addresses. I've run several of them. My comment wasn't a reply to you, more of a general comment about the surprising effort you still need to go to explain that stateful firewalling doesn't mandate NAT. I sometimes wonder if some people's heads would explode if I told them that this PC is directly attached to the Internet, has both public IPv4 and IPv6 addresses, and is performing stateful firewalling - with no NAT anywhere. I hear ya. Except for simple translations (e.g. one-to-one, whole net xlates), NAT is dependent on SPI, but SPI is not dependent on NAT. But some seem to combine the two into a single inseparable concept. I've definitely run into people who confuse the concepts. And also presume that without NAT there is less or no security. This head definitely wouldn't explode, since back in the early to mid 90s I ran enterprise networks on which all hosts had public IPs and there was no NAT at all. First protected by dumb filters on routers, which were fairly quickly replaced by dedicated SPI firewalls (such as Checkpoint). The first couple SPI firewalls I used didn't even *have* NAT capability. Yet, they did a fine job securing my LANs without it. And this is at a time when most workstations and servers on the LAN didn't have firewalls themselves (no OS included FW). Despite it doing the job it was intended to do, I've always seen NAT as a bit of an ugly hack, with potential to get even uglier with LSN and multi-level NAT in the future. I personally welcome a return to a NAT-less world with IPv6. :) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvO87cACgkQ2fXFxl4S7sSzQQCfU4Ip5mHkJ/inTfKO/1zih5yY VWUAnjte4aAbrcYvUraMXsUmaPj2JHGA =S3Gn -END PGP SIGNATURE-
Re: Rate of growth on IPv6 not fast enough?
Once upon a time, Franck Martin fra...@genius.com said: Why don't they use IPv6 instead of uPnP? UPnP (or something like it) is needed for any kind of firewall for some devices. At least on Xbox, some games are essentially peer-to-peer; when userA starts it up and invites friends, their Xbox becomes the game server. The other people joining the game talk directly to userA's Xbox (they don't go through a Microsoft Xbox Live server). When userA sets up the game, their Xbox sends a UPnP request to the local firewall to open up a port so outside connections can come in. It doesn't matter if there is IPv4, IPv6, NAT, etc. in play; the Xbox is saying let the Internet talk to me on port foo for a bit. Now, the security model (or lack thereof) of UPnP can be debated, but home users are going to need something like that for peer-to-peer networking. IPv6 is supposed to bring back end-to-end networking and abolish NAT, but I think most people agree that the average home user will still need a basic statefull firewall for protection, which means there has to be a protocol for some devices to temporarily open up ports on the firewall (or there's still no end-to-end). -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: Rate of growth on IPv6 not fast enough?
And when ISPs start using NAT for their customers, there will be more problems leading to more support calls. You say this as though they don't do it now. R's, John
Re: Rate of growth on IPv6 not fast enough?
On 4/21/2010 8:46 AM, Jim Burwell wrote: Despite it doing the job it was intended to do, I've always seen NAT as a bit of an ugly hack, with potential to get even uglier with LSN and multi-level NAT in the future. I personally welcome a return to a NAT-less world with IPv6. :) Don't you get all of the same problems when there is a properly restrictive SPI firewall at both ends of the connection regardless of weather NAT is used as well.
Re: Rate of growth on IPv6 not fast enough?
No. You get a different set of problems, mostly administrative. On Apr 21, 2010, at 1:53 PM, Dave Sparro wrote: On 4/21/2010 8:46 AM, Jim Burwell wrote: Despite it doing the job it was intended to do, I've always seen NAT as a bit of an ugly hack, with potential to get even uglier with LSN and multi-level NAT in the future. I personally welcome a return to a NAT-less world with IPv6. :) Don't you get all of the same problems when there is a properly restrictive SPI firewall at both ends of the connection regardless of weather NAT is used as well. James R. Cutler james.cut...@consultant.com
Re: Rate of growth on IPv6 not fast enough?
On Tue, Apr 20, 2010 at 9:34 PM, Karl Auer ka...@biplane.com.au wrote: On Tue, 2010-04-20 at 12:59 -0700, Owen DeLong wrote: On Apr 20, 2010, at 12:31 PM, Roger Marquis wrote: NAT _always_ fails-closed Stateful Inspection can be implemented fail-closed. Not to take issue with either statement in particular, but I think there needs to be some consideration of what fail means. Fail means that an inexperienced admin drops a router in place of the firewall to work around a priority problem while the senior engineer is on vacation. With NAT protecting unroutable addresses, that failure mode fails closed. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: Rate of growth on IPv6 not fast enough?
Dave Sparro wrote: Don't you get all of the same problems when there is a properly restrictive SPI firewall at both ends of the connection regardless of weather NAT is used as well. If you mean, do we still need protocols similar to uPNP the answer is yes. Of course, uPNP is designed with a SPI in mind. However, we simplify a lot of problems when we remove address mangling from the equation. That's not to say there won't be NAT for IPv6. Fact is, businesses will ask and firewall vendors will give. Of course, business needs are often different than general usage (and especially home usage) needs. Jack
Re: Rate of growth on IPv6 not fast enough?
William Herrin wrote: Not to take issue with either statement in particular, but I think there needs to be some consideration of what fail means. Fail means that an inexperienced admin drops a router in place of the firewall to work around a priority problem while the senior engineer is on vacation. With NAT protecting unroutable addresses, that failure mode fails closed. In addition to fail-closed NAT also means: * search engines and and connectivity providers cannot (easily) differentiate and/or monitor your internal hosts, and * multiple routes do not have to be announced or otherwise accommodated by internal re-addressing. Roger Marquis
Re: Rate of growth on IPv6 not fast enough?
Jack Bates wrote: If you mean, do we still need protocols similar to uPNP the answer is yes. Of course, uPNP is designed with a SPI in mind. However, we simplify a lot of problems when we remove address mangling from the equation. Let's not forget why UPNP is what it is and why it should go away. UPNP was Microsoft's answer to Sun's JINI. It was never intended to provide security. All MS wanted do with UPNP was derail a competing vendor's (vastly superior) technology. Not particularly different than MS' recent efforts around OOXML. Roger Marquis
Re: Rate of growth on IPv6 not fast enough?
On Apr 21, 2010, at 3:26 PM, Roger Marquis wrote: William Herrin wrote: Not to take issue with either statement in particular, but I think there needs to be some consideration of what fail means. Fail means that an inexperienced admin drops a router in place of the firewall to work around a priority problem while the senior engineer is on vacation. With NAT protecting unroutable addresses, that failure mode fails closed. In addition to fail-closed NAT also means: * search engines and and connectivity providers cannot (easily) differentiate and/or monitor your internal hosts, and Right, because nobody has figured out Javascript and Cookies. * multiple routes do not have to be announced or otherwise accommodated by internal re-addressing. I fail to see how NAT even affects this in a properly structured network. Owen
Re: Rate of growth on IPv6 not fast enough?
On Mon, Apr 19, 2010 at 11:47 PM, Adrian Chadd adr...@creative.net.au wrote: On Tue, Apr 20, 2010, Perry Lorier wrote: could dimension a NAT box for an ISP. His research is available here http://www.wand.net.nz/~salcock/spnat/tech_report.pdf . If walls of text scare you (why are you reading this mailing list then?) skip through and look at the graphs (page 3 onwards) Interesting. Only a few days, and not really any analysis for worst case scenarios and how to possibly gracefully recover from those. (eg, I've done some NAT hacks to detect idle HTTP pconns and toss those before tossing the others.) I found some of the premises lacking, at least, in an initial reading; session expiration is a problem for SP NAT, and for that reason, the dimensioning that makes it even worse is questionable, in that the shown er solution to UDP packets creating many sessions was by establishing extra short expiration durations; it attempts to address one problem, while creating an even bigger one..., NAPT with short expiration in a SP environment indicates a point of more breakage to network connectivity than the negative impact of current NAPT practice in enterprise environments. At least table sizings can be met by expanding capacity. Expiring good/still-active short lived sessions cannot be fixed, except by not expiring them. A good example of an application this short lived sessions treatment may break is DNS, if for example, a domain's authoritative responses are taking 10 seconds to arrive, and the DNS cache on a subscriber's PC submits a query to each of the authoritative servers for that domain, the session will expire, before 1/3rd of the normal DNS timeout has passed -- since only one packet is sent to submit each DNS query, they all get considered short-lived sessions. Now instead of DNS being slow (response after 10 seconds due to congestion of an overseas link or something), the domain being resolved is completely unreachable the response arrives but was discarded because the session expired, so never seen, unless one of the servers can get a response in within that 10s window That's an ungraceful failure result. Expiring sessions early is likely to create a similar problem for P2P client applications -- they were waiting for a response, but will never get it. That one packet session concept is just a prediction; in reality, the client likely hopes for a response from many of those requests within a few minutes... If expiring theseshort lived sessions is undesired by the application and if adopted by SPs could probably result in significant changes by the developers to the client software applications observed. Changes to the applications (in reaction to SP NAT) could be expected to effect that peak result of SP NAT, negating portions of state table reductions obtained temporarily through shortening expiration periods. Means that new apps designed for use with such services would probably have to re-transmit much earlier, or flood no-op UDP, TCP packets in order to keep sessions open, in order to provide the user a reasonable experience.. sending additional packets to 'keep sessions alive' on the NAT device consumes more time on the wire (bandwidth), negates and might eventually exceed part of the SP's advantage of early expiration, if the expire is short enough -- -J
Re: Rate of growth on IPv6 not fast enough?
On Mon, 19 Apr 2010, Leen Besselink wrote: I actually think the razor thin margins make it less likely. If I'm not mistaken, one of the reasons firmware updates are not available from a number of vendors/products, is because the small boxes don't have enough ROM and/or RAM. The ROM is to small to hold an extra stack (or other features) and/or the RAM is to small to handle the connection tracking for the larger addresses. Because people want a stateful firewall, right ? In a very low end devices maybe. Mid range devices there is enough flash and RAM. I have been using openwrt on various devices (asus, dlink, lynksys) with ipv6 for more than 3 years. Best Regards, Janos Mohacsi
Re: Rate of growth on IPv6 not fast enough?
On Mon, Apr 19, 2010 at 06:56:43AM +0200, Mikael Abrahamsson wrote: On Mon, 19 Apr 2010, Franck Martin wrote: Anybody has better projections? What's the plan? My guess is that end user access will be more and more NAT444:ed (CGN) while at the same time end users will get more and more IPv6 access (of all types), and over a period of time more and more of the p2p traffic (VoIP, file transfers etc) will move to IPv6 because it'll stop working over IPv4. When enough users have IPv6 access the server-based content will be made reachable over v6 as well. The transition will take at least 5 years, I guess in 2015 we'll be perhaps halfway there. I suppose we will be here before 2015. We have at least one segment where IPv6 CPE is mandated by network access providers - that's cellular networks. So, adding Verizon mandates IPv6 for LTE phones[1] and Verizon expects to commercially launch its LTE 4G network in up to 30 markets in 2010[2] I can suggest that there will be significant increase of IPv6-enabled users in 2010-2011. May be this increase will be even significant enough to push content providers to dual-stack too... [1]: http://www.circleid.com/posts/20090609_verizon_mandates_ipv6_support_for_next_gen_cell_phones/ [2]: http://www.wirelessweek.com/News-Verizon-LTE-Data-Calls-081709.aspx
Re: Rate of growth on IPv6 not fast enough?
* Bryan Fields: Yes, but I was showing what a great DDOS attack method it would be too ;) The beauty of flow-based forwarding (with or without NAT) is that several types of denial-of-service attacks tend to hurt close to the packet sources, and not just close to the victim. As far as the whole system is concerned, this is a very, very good thing.
Re: Rate of growth on IPv6 not fast enough?
On Tue, Apr 20, 2010 at 12:24:57PM +1000, Mark Andrews wrote: In message 201004200022.o3k0m2ba007...@aurora.sol.net, Joe Greco writes: That'd be easy if you were just starting up an ISP. What do you do with your existing customer base? If their current service includes a dynamic public IPv4 address, you can't gracefully take it away, without likey violating services TCs, government telco regulations etc. So you'll have to go through a formal process of getting agreement with customers to take them away. I haven't seen any such documents or regulations. People purchaced the service on the understanding that they would get a Internet address. A address behind a NAT is not a Internet address, it's a *shared* Internet address which is a very different thing. whats an Internet address? and are you sure thats part of the service offering? Mark Andrews, ISC --bill
Re: Rate of growth on IPv6 not fast enough?
On Tue, Apr 20, 2010 at 01:58:13PM +1000, Mark Andrews wrote: You are charmingly naive about how the law actually works in the USA - that is IMHO. Yes, things vary around the world. You failed to state In the USA. There is plenty of case law in Australia about companies attempting to arbitarially change terms and conditions to the detriment of the consumer and being made to reverse the changes. this is the North American Network Operators Group. Not the Australian Network Operators Group. Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia --bill
Re: Rate of growth on IPv6 not fast enough?
In message 201004200022.o3k0m2ba007...@aurora.sol.net, Joe Greco writes: That'd be easy if you were just starting up an ISP. What do you do with your existing customer base? If their current service includes a dynamic public IPv4 address, you can't gracefully take it away, without likey violating services TCs, government telco regulations etc. So you'll have to go through a formal process of getting agreement with customers to take them away. I haven't seen any such documents or regulations. People purchaced the service on the understanding that they would get a Internet address. A address behind a NAT is not a Internet address, it's a *shared* Internet address which is a very different thing. People purchase mobile Internet service and get placed behind carrier NAT. People get free Internet at hotels and are almost always behind a NAT. The terminology war is lost. Many/most people are _already_ behind a NAT gateway. They are behind NAT44 which they deployed themselves and control the configuration of themselves. They can direct incoming traffic as they see fit. They are NOT restricted to UDP and TCP. NAT444 is a different kettle of fish. There are lots of things that you do with a NAT44 that you can't do with a NAT444. If all you do is browse the web and read email then you won't see the much of a difference. If you do anything more complicated than making outgoing queries you will see the difference. You *might* see the difference. You might not, too. And hey, just so we're clear here, I would *agree* that Internet access ought to mean an actual IP address with as little filtering, etc., as reasonable... but we're exploring what happens at exhaustion here. So I'm not interested in arguing this point; the fact of the matter is that we WILL hit exhaustion, and it's going to be a hell of an operational issue the day your subscribers cannot get an IP from the DHCP server because they're all allocated and in use. I'm as offended as anyone by what is often passed off as Internet access, but it's completely devoid of value to argue what you seem to be saying: the fact that it is so _today_ does not mean that it /has/ to be so _tomorrow._ All that's down that path is exhaustion with no solutions. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: Rate of growth on IPv6 not fast enough?
In message 20100420121646.ge15...@vacation.karoshi.com., bmann...@vacation.ka roshi.com writes: On Tue, Apr 20, 2010 at 01:58:13PM +1000, Mark Andrews wrote: You are charmingly naive about how the law actually works in the USA - that is IMHO. Yes, things vary around the world. You failed to state In the USA. There is plenty of case law in Australia about companies attempting to arbitarially change terms and conditions to the detriment of the consumer and being made to reverse the changes. this is the North American Network Operators Group. Not the Australian Network Operators Group. And last I heard NA != USA. So have you decided to annex the rest of NA and bring it under US law. :-) Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia --bill -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: Rate of growth on IPv6 not fast enough?
On Apr 20, 2010, at 5:40 AM, Joe Greco wrote: In message 201004200022.o3k0m2ba007...@aurora.sol.net, Joe Greco writes: That'd be easy if you were just starting up an ISP. What do you do with your existing customer base? If their current service includes a dynamic public IPv4 address, you can't gracefully take it away, without likey violating services TCs, government telco regulations etc. So you'll have to go through a formal process of getting agreement with customers to take them away. I haven't seen any such documents or regulations. People purchaced the service on the understanding that they would get a Internet address. A address behind a NAT is not a Internet address, it's a *shared* Internet address which is a very different thing. People purchase mobile Internet service and get placed behind carrier NAT. People get free Internet at hotels and are almost always behind a NAT. The terminology war is lost. Most hotels I have stayed in recently have a Upgrade to public IP button which I routinely use. I have never encountered an additional charge for that public IP. Many/most people are _already_ behind a NAT gateway. They are behind NAT44 which they deployed themselves and control the configuration of themselves. They can direct incoming traffic as they see fit. They are NOT restricted to UDP and TCP. NAT444 is a different kettle of fish. There are lots of things that you do with a NAT44 that you can't do with a NAT444. If all you do is browse the web and read email then you won't see the much of a difference. If you do anything more complicated than making outgoing queries you will see the difference. You *might* see the difference. You might not, too. And hey, just so we're clear here, I would *agree* that Internet access ought to mean an actual IP address with as little filtering, etc., as reasonable... but we're exploring what happens at exhaustion here. So I'm not interested in arguing this point; the fact of the matter is that we WILL hit exhaustion, and it's going to be a hell of an operational issue the day your subscribers cannot get an IP from the DHCP server because they're all allocated and in use. The good news is that in IPv6, it probably will mean that again. Owen
Re: Rate of growth on IPv6 not fast enough?
On Mon, 19 Apr 2010 19:57:04 -0700 Owen DeLong o...@delong.com wrote: On Apr 19, 2010, at 3:10 PM, Florian Weimer wrote: * Leo Bicknell: I know of no platform that does hardware NAT. Rather, NAT is a CPU function. While this is another interesting scaling issue, it means this data is not going in the FIB (hardware forwarding database), but rather is stored in a CPU accessible database. If you NAT all traffic, the NAT database needs the same level of efficiency as the FIB. You could probably even join the two (you should check that the corresponding RIB entry is still current, but that can probably be forced to be cheap). More likely, if you're going to do this (and I would not wish it on my worst competitors), you would want to push smaller NATs out towards the customer aggregation point where you can get away with cheaper commodity hardware that can later be repurposed. Yes, more boxes, but, much less expensive and keeps the router doing what routers do best rather than NATing everything on the router. Pushing functions as closer to the edge of the network usually makes them easier to scale and more robust and resilient to failure. There might be more chance of failure, but there is less consequence. Specific to CGN/LSN, I think the best idea is that if we can't have a 1 to 1 relationship between subscriber and global IPv4 address (in the ISP network that is), the next best thing is to try to keep as close to that as possible e.g. if you share a single IPv4 address between two customers, you've halved your IPv4 addressing requirements / doubled your growth opportunity, and allowed for e.g. 32K TCP or UDP ports for each of those customers. Regards, Mark.
Re: Rate of growth on IPv6 not fast enough?
On Tue, 20 Apr 2010 12:16:46 + bmann...@vacation.karoshi.com wrote: On Tue, Apr 20, 2010 at 01:58:13PM +1000, Mark Andrews wrote: You are charmingly naive about how the law actually works in the USA - that is IMHO. Yes, things vary around the world. You failed to state In the USA. There is plenty of case law in Australia about companies attempting to arbitarially change terms and conditions to the detriment of the consumer and being made to reverse the changes. this is the North American Network Operators Group. Not the Australian Network Operators Group. So when did NA stop being the most litigious society on the planet? I could see a class action suit over not getting proper big I Internet access like you used to. You guys sue over hot coffee (of both kinds)! Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia --bill
Re: Rate of growth on IPv6 not fast enough?
In message 201004201240.o3kcehl4074...@aurora.sol.net, Joe Greco writes: In message 201004200022.o3k0m2ba007...@aurora.sol.net, Joe Greco writes: That'd be easy if you were just starting up an ISP. What do you do with your existing customer base? If their current service includes a dynamic public IPv4 address, you can't gracefully take it away, without likey violating services TCs, government telco regulations etc. So you'll have to go through a formal process of getting agreement with customers to take them away. I haven't seen any such documents or regulations. People purchaced the service on the understanding that they would get a Internet address. A address behind a NAT is not a Internet address, it's a *shared* Internet address which is a very different thing. People purchase mobile Internet service and get placed behind carrier NAT. People get free Internet at hotels and are almost always behind a NAT. The terminology war is lost. But regardless of what it is called people usually know what they signed up for and when what has worked for the 5-6 years suddenly breaks ... Many/most people are _already_ behind a NAT gateway. They are behind NAT44 which they deployed themselves and control the configuration of themselves. They can direct incoming traffic as they see fit. They are NOT restricted to UDP and TCP. NAT444 is a different kettle of fish. There are lots of things that you do with a NAT44 that you can't do with a NAT444. If all you do is browse the web and read email then you won't see the much of a difference. If you do anything more complicated than making outgoing queries you will see the difference. You *might* see the difference. You might not, too. And hey, just so we're clear here, I would *agree* that Internet access ought to mean an actual IP address with as little filtering, etc., as reasonable... but we're exploring what happens at exhaustion here. So I'm not interested in arguing this point; the fact of the matter is that we WILL hit exhaustion, and it's going to be a hell of an operational issue the day your subscribers cannot get an IP from the DHCP server because they're all allocated and in use. I'm as offended as anyone by what is often passed off as Internet access, but it's completely devoid of value to argue what you seem to be saying: the fact that it is so _today_ does not mean that it /has/ to be so _tomorrow._ All that's down that path is exhaustion with no solutions. Hopefully being on the Internet, for the home user, will mean you have IPv6 connectivity and public address space handed out using PD in 3-5 years time. That Google, Yahoo etc. have turned on IPv6 to everyone. DS-lite or some other distributed NAT44 technology is being used to for those machines that don't support IPv6 or to reach content providers that have not yet enabled IPv6. If the ISP decides to go with NAT444 then the will be control pages that get you a real IPv4 address the same as many hotels have today as there will be customers that need the functionality. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: Rate of growth on IPv6 not fast enough?
Joe Greco wrote: And what'll you do for your customers when you have no more IPv4 addresses? IPv6, request IPv4 from my transit providers, buy a small ISP that has IPv4 address, consolidate my own IP addressing much tighter, butchering the clean allocations and routing table. Quit selling new IPv4 services. I will NOT do NAT over a customer base, ever, ever, ever, ever again. Did that when we were small. The hardware upgrades required to even hope to do that would make it better to just quit accepting new customers. Jack
Re: Rate of growth on IPv6 not fast enough?
On Tue, 20 Apr 2010 23:02:26 +0930, Mark Smith said: access like you used to. You guys sue over hot coffee (of both kinds)! Well.. yeah. When it causes 3rd degree burns, you start thinking about suing. http://www.lectlaw.com/files/cur78.htm McDonalds also argued that consumers know coffee is hot and that its customers want it that way. The company admitted its customers were unaware that they could suffer thirddegree burns from the coffee Read that and tell me if you *still* think it's a totally frivolous lawsuit. (Hot water is *dangerous* - in many cases even more so than an open flame. If you stick your hand/arm in a flame, you can *usually* pull it out before your shirt sleeve catches fire, and you only take damage the time your arm is actually in the flame. You get a hot water spill on you, that sleeve will hold the hot water against your skin, and the burn becomes a gift that keeps on giving...) pgpuFIEchb8MD.pgp Description: PGP signature
Re: Rate of growth on IPv6 not fast enough?
Mark Smith wrote: On Mon, 19 Apr 2010 19:57:04 -0700 Owen DeLongo...@delong.com wrote: Pushing functions as closer to the edge of the network usually makes them easier to scale and more robust and resilient to failure. There might be more chance of failure, but there is less consequence. Specific to CGN/LSN, I think the best idea is that if we can't have a 1 to 1 relationship between subscriber and global IPv4 address (in the ISP network that is), the next best thing is to try to keep as close to that as possible e.g. if you share a single IPv4 address between two customers, you've halved your IPv4 addressing requirements / doubled your growth opportunity, and allowed for e.g. 32K TCP or UDP ports for each of those customers. Regards, Mark. But if you free up large swaths you might actually be generating additional revenue opportunity instead of only growth opportunity.
Re: Rate of growth on IPv6 not fast enough?
On Tue, Apr 20, 2010 at 10:45:02PM +1000, Mark Andrews wrote: In message 20100420121646.ge15...@vacation.karoshi.com., bmann...@vacation.ka roshi.com writes: On Tue, Apr 20, 2010 at 01:58:13PM +1000, Mark Andrews wrote: You are charmingly naive about how the law actually works in the USA - that is IMHO. Yes, things vary around the world. You failed to state In the USA. There is plenty of case law in Australia about companies attempting to arbitarially change terms and conditions to the detriment of the consumer and being made to reverse the changes. this is the North American Network Operators Group. Not the Australian Network Operators Group. And last I heard NA != USA. So have you decided to annex the rest of NA and bring it under US law. :-) nope - but we'll be glad to tell your PM that Australia is prepared to join the Union as the next five states and enjoy all the benefits of our enlighted government and laws. or would you prefer to be part of Canada? --bill
Re: Rate of growth on IPv6 not fast enough?
John Levine wrote: Other than the .01% of consumer customers who are mega multiplayer game weenies, what's not going to work? Actual experience as opposed to hypothetical hand waving would be preferable. .01%? heh. NAT can break xbox, ps3, certain pc games, screw with various programs that dislike multiple connections from a single IP, and the crap load of vpn clients that appear on the network and do not support nat traversal (either doesn't support it, or big corp A refuses to enable it). When we were in our infancy, we had areas doing NAT. It was a support nightmare from hell, and in some cases, it just didn't work period. That doesn't even get into the load issues. Jack
Re: Rate of growth on IPv6 not fast enough?
On Apr 20, 2010, at 7:53 AM, John Levine wrote: But regardless of what it is called people usually know what they signed up for and when what has worked for the 5-6 years suddenly breaks ... If a consumer ISP moved its customers from separate IPs to NAT, what do you think would break? I'm the guy who was behind a double NAT for several months without realizing it, and I can report that the only symptom I noticed was incoming call flakiness on one of my VoIP phones, and even that was easy to fix by decreasing the registration interval. The other VoIP phone worked fine in its default config. Did you use Yahoo IM, AIM, or Skype? Did you use any of those for Video Chat and/or to transfer files? Did you do any peer to peer filesharing? Did you play any MMOs? Did you run any services? Other than the .01% of consumer customers who are mega multiplayer game weenies, what's not going to work? Actual experience as opposed to hypothetical hand waving would be preferable. I hate to break it to you, but they are not 0.1%, they are more like 15%. When you add in the other things that break which I have outlined above, you start to approach 75%. I would argue that 75% is a significant and meaningful fraction of an ISPs customer base. I'm not saying that NAT is wonderful, but my experience, in which day to day stuff all works fine, is utterly different from the doom and disaster routinely predicted here. Perhaps your day to day is different from others. Perhaps people here generally think in terms of servicing all of their customers. Perhaps in many cases if just 1% of our customers are on the phone with our technical support department, we are losing money. YMMV. Owen
Re: Rate of growth on IPv6 not fast enough?
Owen DeLong wrote: The hardware cost of supporting LSN is trivial. The management/maintenance costs and the customer experience - dissatisfaction - support calls - employee costs will not be so trivial. Interesting opinion but not backed up by experience. By contrast John Levine wrote: My small telco-owned ISP NATs all of its DSL users, but you can get your own IP on request. They have about 5000 users and I think they said I was the eighth to ask for a private IP. I have to say that it took several months to realize I was behind a NAT I'd bet good money John's experience is a better predictor of what will begin occurring when the supply of IPv4 addresses runs low. Then as now few consumers are likely to notice or care. Interesting how the artificial roadblocks to NAT66 are both delaying the transition to IPv6 and increasing the demand for NAT in both protocols. Nicely illustrates the risk when customer demand (for NAT) is ignored. That said the underlying issue is still about choice. We (i.e., the IETF) should be giving consumers the _option_ of NAT in IPv6 so they aren't required to use it in IPv4. IMO, Roger Marquis
Re: Rate of growth on IPv6 not fast enough?
On Apr 20, 2010, at 10:29 AM, Roger Marquis wrote: Owen DeLong wrote: The hardware cost of supporting LSN is trivial. The management/maintenance costs and the customer experience - dissatisfaction - support calls - employee costs will not be so trivial. Interesting opinion but not backed up by experience. Since nobody has experience with LSN, that's a pretty easy statement to make. However, given the tech. support costs of single-layer NAT and the number of support calls I've seen from other less disruptive maintenance actions at various providers where I have worked, I think that in terms of applicable related experience available, yes, this is backed by experience. By contrast John Levine wrote: My small telco-owned ISP NATs all of its DSL users, but you can get your own IP on request. They have about 5000 users and I think they said I was the eighth to ask for a private IP. I have to say that it took several months to realize I was behind a NAT I'd bet good money John's experience is a better predictor of what will begin occurring when the supply of IPv4 addresses runs low. Then as now few consumers are likely to notice or care. ROFL... John has already made it clear that his usage profile is particularly NAT friendly compared to the average user. Interesting how the artificial roadblocks to NAT66 are both delaying the transition to IPv6 and increasing the demand for NAT in both protocols. Nicely illustrates the risk when customer demand (for NAT) is ignored. Uh, no. Interesting how the wilful ignorance around NAT and IPv6 is both delaying IPv6 transition and being used as an excuse to make things even worse for customers in the future. That said the underlying issue is still about choice. We (i.e., the IETF) should be giving consumers the _option_ of NAT in IPv6 so they aren't required to use it in IPv4. I guess that depends on whose choice you are interested in preserving. Owen
Re: Rate of growth on IPv6 not fast enough?
Simon Perreault wrote: http://tools.ietf.org/html/draft-ford-shared-addressing-issues The Ford Draft is quite liberal in its statements regarding issues with NAT. Unfortunately, in the real-world, those examples are somewhat fewer and farther between than the draft RFC would lead you to believe. Considering how many end-users sit behind NAT firewalls and non-firewall gateways at home, at work, and at public access points all day without issue, this is a particularly good example of the IETF's ongoing issues with design-by-committee, particularly committees short on security engineering and long on special interest. While LECs and ISPs may or may not feel some pain from LSN, they're equally sure feel better after crying all the way to the bank. IMO, Roger Marquis
Re: Rate of growth on IPv6 not fast enough?
Roger Marquis wrote: Considering how many end-users sit behind NAT firewalls and non-firewall gateways at home, at work, and at public access points all day without issue, this is a particularly good example of the IETF's ongoing issues with design-by-committee, particularly committees short on security engineering and long on special interest. While LECs and ISPs may or may not feel some pain from LSN, they're equally sure feel better after crying all the way to the bank. Remove uPNP from those home user nat boxes and see how well the nat to nat connections work. Office firewalls often are heavily restrictive, use proxy layers to deal with connectivity issues and tend to have less typical types of traffic. Jack
Re: Rate of growth on IPv6 not fast enough?
On 4/20/2010 10:29 AM, Roger Marquis wrote: Interesting how the artificial roadblocks to NAT66 are both delaying the transition to IPv6 and increasing the demand for NAT in both protocols. Nicely illustrates the risk when customer demand (for NAT) is ignored. This is really tiresome. IPv4 NAT existed commercially long before there was any effort at standardizing it. If you have a commercial requirement for IPv6 NAT inform your vendors and help them build a business case. I worked at a firewall vendor for a couple of years, and in that time I worked on the business cases for both ipv6 NAT and NAT-PT ipv6 ipv4 nat protocol translation, NAT-PT even got so far as a prototype in that organization (IOS has NAT-PT btw). I can tell you want stalled me out on this in 2007-2009 was a lack of paying customers prroritizing the features not an inability to understand the problem space. What's commercially available in the space is going to be a product of demand, not a product of documents produced by the IETF. if there is consensus among vendors about how such a thing in implemented that manifests itself ietf doucments so much the better. That said the underlying issue is still about choice. We (i.e., the IETF) should be giving consumers the _option_ of NAT in IPv6 so they aren't required to use it in IPv4. You're going to use it in v4 anyway. choice in the marketplace is about what you're willing to pay for, vendors at leat the ones that I work with don't turn on a dime and the have a lot of functionality gaps to close with ipv6 not just this one. IMO, Roger Marquis
Re: Rate of growth on IPv6 not fast enough?
On 2010-04-20, at 14:59, joel jaeggli wrote: On 4/20/2010 10:29 AM, Roger Marquis wrote: Interesting how the artificial roadblocks to NAT66 are both delaying the transition to IPv6 and increasing the demand for NAT in both protocols. Nicely illustrates the risk when customer demand (for NAT) is ignored. This is really tiresome. IPv4 NAT existed commercially long before there was any effort at standardizing it. Another way of looking at that would be that IPv4 NAT existed commercially despite massive resistance to the idea of standardising it. I think it is fair to say that standardisation would have saved many developers from a certain amount of pain and suffering. It'd be nice to think that with v6 the pressures that caused v4 NAT to be a good idea no longer exist. v6 is being deployed into a world where it's normal to assume residential users have more than one device, for example. However, in enterprise/campus environments I think the pressure for NAT66 is not because there are technical problems that NAT66 would solve, but rather because there's a generation of common wisdom that says that NAT is how you build enterprise/campus networks. This is unfortunate. Hopefully I'm wrong. Joe
Re: Rate of growth on IPv6 not fast enough?
On Apr 20, 2010, at 11:56 AM, Jack Bates wrote: Roger Marquis wrote: Considering how many end-users sit behind NAT firewalls and non-firewall gateways at home, at work, and at public access points all day without issue, this is a particularly good example of the IETF's ongoing issues with design-by-committee, particularly committees short on security engineering and long on special interest. While LECs and ISPs may or may not feel some pain from LSN, they're equally sure feel better after crying all the way to the bank. Remove uPNP from those home user nat boxes and see how well the nat to nat connections work. Office firewalls often are heavily restrictive, use proxy layers to deal with connectivity issues and tend to have less typical types of traffic. Jack uPNP will not likely be feasible on LSN. So, yes, you need to do your NAT testing in preparation for LSN on the basis of what works without uPNP. Owen
Re: Rate of growth on IPv6 not fast enough?
Jack Bates wrote: .01%? heh. NAT can break xbox, ps3, certain pc games, screw with various programs that dislike multiple connections from a single IP, and the crap load of vpn clients that appear on the network and do not support nat traversal (either doesn't support it, or big corp A refuses to enable it). If this were really an issue I'd expect my nieces and nephews, all of whom are big game players, would have mentioned it. They haven't though, despite being behind cheap NATing CPE from D-Link and Netgear. Address conservation aside, the main selling point of NAT is its filtering of inbound session requests. NAT _always_ fails-closed by forcing inbound connections to pass validation by stateful inspection. Without this you'd have to depend on less reliable (fail-open) mechanisms and streams could be initiated from the Internet at large. In theory you could enforce fail-closed reliably without NAT, but the rules would have to be more complex and complexity is the enemy of security. Worse, if non-NATed CPE didn't do adequate session validation, inspection, and tracking, as low-end gear might be expected to cut corners on, end-user networks would be more exposed to nefarious outside-initiated streams. Arguments against NAT uniformly fail to give credit to these security considerations, which is a large reason the market has not taken IPv6 seriously to-date. Even in big business, CISOs are able to shoot-down netops recommendations for 1:1 address mapping with ease (not that vocal NAT opponents get jobs where internal security is a concern). IMO, Roger Marquis
Re: Rate of growth on IPv6 not fast enough?
Once upon a time, Roger Marquis marq...@roble.com said: Address conservation aside, the main selling point of NAT is its filtering of inbound session requests. NAT _always_ fails-closed by forcing inbound connections to pass validation by stateful inspection. Without this you'd have to depend on less reliable (fail-open) mechanisms and streams could be initiated from the Internet at large. In theory you could enforce fail-closed reliably without NAT, but the rules would have to be more complex and complexity is the enemy of security. NAT == stateful firewall + packet mangling. You can do all the same stateful firewall bits and drop the packet mangling quite easily (it is certainly not more complex to not mangle packets). -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: Rate of growth on IPv6 not fast enough?
On 2010-04-20, at 15:31, Roger Marquis wrote: If this were really an issue I'd expect my nieces and nephews, all of whom are big game players, would have mentioned it. They haven't though, despite being behind cheap NATing CPE from D-Link and Netgear. I have heard it said before that there is significant cooperation and/or software engineering work between some or all of those who make residential gateways and those who make multi-player games to achieve this end result. The opinion I heard vocalised at the time was that it would have been a lot easier to reach this state of affairs if there had been standardisation of NAT in v4 at an early stage. As it is, peer-to-peer apps like games require significant if-then-else to make anything work. Address conservation aside, the main selling point of NAT is its filtering of inbound session requests. If that was all that was required, you could sell a stateful firewall that didn't do NAT, and everybody would buy that instead because it would make things like iChat AV break less. Apparently there are other reasons to buy and sell devices that NAT (e.g. my ISP gives me one address, but the laptop and the Wii both want to use the internet). Joe
Re: Rate of growth on IPv6 not fast enough?
On Apr 20, 2010, at 12:31 PM, Roger Marquis wrote: Jack Bates wrote: .01%? heh. NAT can break xbox, ps3, certain pc games, screw with various programs that dislike multiple connections from a single IP, and the crap load of vpn clients that appear on the network and do not support nat traversal (either doesn't support it, or big corp A refuses to enable it). If this were really an issue I'd expect my nieces and nephews, all of whom are big game players, would have mentioned it. They haven't though, despite being behind cheap NATing CPE from D-Link and Netgear. Address conservation aside, the main selling point of NAT is its filtering of inbound session requests. NAT _always_ fails-closed by forcing inbound connections to pass validation by stateful inspection. Without this you'd have to depend on less Repeating the same falsehood does not make it any less false. reliable (fail-open) mechanisms and streams could be initiated from the Internet at large. In theory you could enforce fail-closed reliably without NAT, but the rules Stateful Inspection can be implemented fail-closed. I point to Juniper ScreenOS and Services JunOS as examples of this. Absent a specific permit or specific configuration telling it to pass particular traffic inbound, traffic must pass the same stateful inspection that NAT would require. This is default behavior in those boxes. The rules are not complex at all. would have to be more complex and complexity is the enemy of security. Worse, if non-NATed CPE didn't do adequate session validation, inspection, and tracking, as Again, you simply are not correct here. I'm not sure what level of implementation is available in low-end gear as it hasn't met my needs in a long long time. However, I will say that although an SRX-100 is not especially low-end at 10x absolute low end pricing and 5x average home gateway pricing, it is low-enough end that I know this can be done in reasonable gear. low-end gear might be expected to cut corners on, end-user networks would be more exposed to nefarious outside-initiated streams. Frankly, even with NAT, corner-cutting in those areas can lead to things passing which you don't expect. Arguments against NAT uniformly fail to give credit to these security considerations, Because they are false. It's not that they fail to give credit to them. It's that they know them to be false. It's like saying that discussions of breathing gas fail to give credit to the respiratory effects of the trace amounts of argon present in the atmosphere. which is a large reason the market has not taken IPv6 seriously to-date. Even in big business, CISOs are able to shoot-down netops recommendations for 1:1 address mapping with ease (not that vocal NAT opponents get jobs where internal security is a concern). While I recognize that there is a group of people who religiously believe that NAT has a security benefit, I don't think the represent a significant fraction of the reasons IPv6 is not getting deployed. Frankly, many of them have more IPv6 deployed than they realize and their NAT is not protecting them from it at all. It may even be helping some of the nefarious traffic that may be taking advantage of the current situation to remain safely anonymized and invisible. Owen
Re: Rate of growth on IPv6 not fast enough?
On Apr 20, 2010, at 12:55 PM, Joe Abley wrote: On 2010-04-20, at 15:31, Roger Marquis wrote: If this were really an issue I'd expect my nieces and nephews, all of whom are big game players, would have mentioned it. They haven't though, despite being behind cheap NATing CPE from D-Link and Netgear. I have heard it said before that there is significant cooperation and/or software engineering work between some or all of those who make residential gateways and those who make multi-player games to achieve this end result. The opinion I heard vocalised at the time was that it would have been a lot easier to reach this state of affairs if there had been standardisation of NAT in v4 at an early stage. As it is, peer-to-peer apps like games require significant if-then-else to make anything work. The fact that they work is usually due to uPNP or another inbound NAT-T solution. All of these will be very unlikely to work in an LSN environment. None of them work in a multilayer NAT environment. Address conservation aside, the main selling point of NAT is its filtering of inbound session requests. If that was all that was required, you could sell a stateful firewall that didn't do NAT, and everybody would buy that instead because it would make things like iChat AV break less. Apparently there are other reasons to buy and sell devices that NAT (e.g. my ISP gives me one address, but the laptop and the Wii both want to use the internet). In IPv4, yes, there are other reasons. (Address conservation). In IPv6, it shouldn't be a problem to sell a stateful firewall that doesn't do NAT. Owen
Re: Rate of growth on IPv6 not fast enough?
On 04/20/2010 09:31 PM, Roger Marquis wrote: Jack Bates wrote: .01%? heh. NAT can break xbox, ps3, certain pc games, screw with various programs that dislike multiple connections from a single IP, and the crap load of vpn clients that appear on the network and do not support nat traversal (either doesn't support it, or big corp A refuses to enable it). If this were really an issue I'd expect my nieces and nephews, all of whom are big game players, would have mentioned it. They haven't though, despite being behind cheap NATing CPE from D-Link and Netgear. Address conservation aside, the main selling point of NAT is its filtering of inbound session requests. NAT _always_ fails-closed by forcing inbound connections to pass validation by stateful inspection. Without this you'd have to depend on less reliable (fail-open) mechanisms and streams could be initiated from the Internet at large. In theory you could enforce fail-closed reliably without NAT, but the rules would have to be more complex and complexity is the enemy of security. Worse, if As others have mentioned on the list, this is wrong. NAT is the one that makes things much more complicated in fact. And even NAT can be tricked. But I do have a question: Do you think TCP-port 53 for DNS are only used for domain-name transfers ? non-NATed CPE didn't do adequate session validation, inspection, and tracking, as low-end gear might be expected to cut corners on, end-user networks would be more exposed to nefarious outside-initiated streams. Arguments against NAT uniformly fail to give credit to these security considerations, which is a large reason the market has not taken IPv6 seriously to-date. Even in big business, CISOs are able to shoot-down netops recommendations for 1:1 address mapping with ease (not that vocal NAT opponents get jobs where internal security is a concern). IMO, Roger Marquis
Re: Rate of growth on IPv6 not fast enough?
Roger Marquis wrote: If this were really an issue I'd expect my nieces and nephews, all of whom are big game players, would have mentioned it. They haven't though, despite being behind cheap NATing CPE from D-Link and Netgear. Disable the uPNP (some routers lack it, and yes, it breaks and microsoft will tell you to get uPNP capable NAT routers or get a new ISP). uPNP at a larger scale? Would require some serious security and scalability analysis. Arguments against NAT uniformly fail to give credit to these security considerations, Your argument has nothing to do with this part of the thread and discussion of why implementing NAT at a larger scale is bad. I guess it might have something to do in other tangents of supporting NAT66. Jack
Re: Rate of growth on IPv6 not fast enough?
On Tue, 20 Apr 2010 10:29:02 -0700 (PDT) Roger Marquis marq...@roble.com wrote: Owen DeLong wrote: The hardware cost of supporting LSN is trivial. The management/maintenance costs and the customer experience - dissatisfaction - support calls - employee costs will not be so trivial. Interesting opinion but not backed up by experience. By contrast John Levine wrote: My small telco-owned ISP NATs all of its DSL users, but you can get your own IP on request. They have about 5000 users and I think they said I was the eighth to ask for a private IP. I have to say that it took several months to realize I was behind a NAT I'd bet good money John's experience is a better predictor of what will begin occurring when the supply of IPv4 addresses runs low. Then as now few consumers are likely to notice or care. Interesting how the artificial roadblocks to NAT66 are both delaying the transition to IPv6 and increasing the demand for NAT in both protocols. Nicely illustrates the risk when customer demand (for NAT) is ignored. Customers never asked for NAT. Ask the non-geek customer if they went looking for a ISP plan or modem that supports NAT and they'll look at you funny. Ask them if they want to share their Internet access between multiple devices in their home, and they'll say yes. That said the underlying issue is still about choice. We (i.e., the IETF) should be giving consumers the _option_ of NAT in IPv6 so they aren't required to use it in IPv4. IMO, Roger Marquis
Re: Rate of growth on IPv6 not fast enough?
On 04/20/2010 04:51 PM, Jack Bates wrote: uPNP at a larger scale? Would require some serious security and scalability analysis. This is the latest proposal. The Security Considerations section needs some love... http://tools.ietf.org/html/draft-wing-softwire-port-control-protocol Simon -- NAT64/DNS64 open-source -- http://ecdysis.viagenie.ca STUN/TURN server-- http://numb.viagenie.ca vCard 4.0 -- http://www.vcarddav.org
Re: Rate of growth on IPv6 not fast enough?
Simon Perreault wrote: This is the latest proposal. The Security Considerations section needs some love... http://tools.ietf.org/html/draft-wing-softwire-port-control-protocol Nice read. IF it ever makes it into all the necessary clients, then perhaps it might be a bit more feasible. That is a big if and very little time for adoption in a large number of devices to fix just one of the problems. Jack
Re: Rate of growth on IPv6 not fast enough?
On 20/04/2010, at 1:28 PM, Mark Andrews wrote: Changing from a public IP address to a private IP address is a big change in the conditions of the contract. People do select ISP's on the basis of whether they will get a public IP address or a private IP address. Seems to me your objection is based on whether or not the customer gets a public address vs a private address. There's no need for NAT pools to be RFC1918. Pretty sure everyone is going to get a public address of some form... it just won't necessarily be globally unique to them. As for jurisdictional issues: This particular Australian ISP amended its TC document to give us the discretion of providing LSN addresses about two years ago. Will we need to? Perhaps not. But if we do, the TC's are already worked out. Looking ahead in time and forecasting future risks is one of the things businesses are supposed to do, right? Regards, - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: Rate of growth on IPv6 not fast enough?
On Tue, 20 Apr 2010 12:59:32 -0700 Owen DeLong o...@delong.com wrote: On Apr 20, 2010, at 12:31 PM, Roger Marquis wrote: Jack Bates wrote: .01%? heh. NAT can break xbox, ps3, certain pc games, screw with various programs that dislike multiple connections from a single IP, and the crap load of vpn clients that appear on the network and do not support nat traversal (either doesn't support it, or big corp A refuses to enable it). If this were really an issue I'd expect my nieces and nephews, all of whom are big game players, would have mentioned it. They haven't though, despite being behind cheap NATing CPE from D-Link and Netgear. Address conservation aside, the main selling point of NAT is its filtering of inbound session requests. NAT _always_ fails-closed by forcing inbound connections to pass validation by stateful inspection. Without this you'd have to depend on less Repeating the same falsehood does not make it any less false. reliable (fail-open) mechanisms and streams could be initiated from the Internet at large. In theory you could enforce fail-closed reliably without NAT, but the rules Stateful Inspection can be implemented fail-closed. I point to Juniper ScreenOS and Services JunOS as examples of this. Absent a specific permit or specific configuration telling it to pass particular traffic inbound, traffic must pass the same stateful inspection that NAT would require. This is default behavior in those boxes. The rules are not complex at all. Frankly, when you hear people strongly using the argument stateful firewalling == NAT, you start to wonder if they've ever seen a stateful firewall using public addresses. would have to be more complex and complexity is the enemy of security. Worse, if non-NATed CPE didn't do adequate session validation, inspection, and tracking, as Again, you simply are not correct here. I'm not sure what level of implementation is available in low-end gear as it hasn't met my needs in a long long time. However, I will say that although an SRX-100 is not especially low-end at 10x absolute low end pricing and 5x average home gateway pricing, it is low-enough end that I know this can be done in reasonable gear. low-end gear might be expected to cut corners on, end-user networks would be more exposed to nefarious outside-initiated streams. Frankly, even with NAT, corner-cutting in those areas can lead to things passing which you don't expect. Arguments against NAT uniformly fail to give credit to these security considerations, Because they are false. It's not that they fail to give credit to them. It's that they know them to be false. It's like saying that discussions of breathing gas fail to give credit to the respiratory effects of the trace amounts of argon present in the atmosphere. which is a large reason the market has not taken IPv6 seriously to-date. Even in big business, CISOs are able to shoot-down netops recommendations for 1:1 address mapping with ease (not that vocal NAT opponents get jobs where internal security is a concern). While I recognize that there is a group of people who religiously believe that NAT has a security benefit, I don't think the represent a significant fraction of the reasons IPv6 is not getting deployed. Frankly, many of them have more IPv6 deployed than they realize and their NAT is not protecting them from it at all. It may even be helping some of the nefarious traffic that may be taking advantage of the current situation to remain safely anonymized and invisible. Owen
Re: Rate of growth on IPv6 not fast enough?
On Tue, 20 Apr 2010 18:03:09 EDT, Simon Perreault said: This is the latest proposal. The Security Considerations section needs some love... I may be the only one that finds that unintentionally hilarious. In any case, to a first-order approximation, it doesn't even matter all that much security wise. I mean - let's be *honest* guys. After XP SP2 got any significant market penetration, pretty much everybody had a host-based firewall that defaulted to default-deny, so the NAT-firewall was merely belt and suspenders. Pretty much all the attacks we've seen in the last few years have been things like web drive-bys, trojaned torrents, and other stuff that sails right in through open ports through the firewall (both host and standalone). And any malware that's able to turn around and punch open a port on the host firewall is just as easily able to go and use uPNP to send a Pants Down! command to the standalone firewall. (Yes, defense in depth is a Good Thing. But that external firewall isn't doing squat for your security if it actually accepts uPNP from inside.) pgpDRR1VKBYcP.pgp Description: PGP signature
Re: Rate of growth on IPv6 not fast enough?
Jack Bates wrote: Disable the uPNP (some routers lack it, and yes, it breaks and microsoft will tell you to get uPNP capable NAT routers or get a new ISP). Thing is, neither of these cheap CPE has UPNP enabled, which leads me to question whether claims regarding large numbers of serverless multi-user game users are accurate. I disable UPNP as standard practice since it is cannot be enabled securely, at least not on cheap CPE. Your argument has nothing to do with this part of the thread and discussion of why implementing NAT at a larger scale is bad. I guess it might have something to do in other tangents of supporting NAT66. I should have been clearer, apologies. WRT LSN, there is no reason individual users couldn't upgrade to a static IP for their insecurely designed multi-user games, and no reason to suspect John Levine's ISP is not representative with 0.16% of its users requesting upgrades. Roger Marquis
Re: Rate of growth on IPv6 not fast enough?
In message 67d28817-d47b-468f-9212-186c60531...@internode.com.au, Mark Newton writes: On 20/04/2010, at 1:28 PM, Mark Andrews wrote: Changing from a public IP address to a private IP address is a big change in the conditions of the contract. People do select ISP's on the basis of whether they will get a public IP address or a private IP address. Seems to me your objection is based on whether or not the customer gets a public address vs a private address. There's no need for NAT pools to be RFC1918. Pretty sure everyone is going to get a public address of some form... it just won't necessarily be globally unique to them. RFC1918 addresses are not the only source of private addresses. If you are giving out addresses behind a NAT then they are private address. As for jurisdictional issues: This particular Australian ISP amended its TC document to give us the discretion of providing LSN addresses about two years ago. Will we need to? Perhaps not. But if we do, the TC's are already worked out. Looking ahead in time and forecasting future risks is one of the things businesses are supposed to do, right? Which is a good thing to do. If you are offering a (potentially) degraded service then the customer needs to be informed before they agree to the service. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: Rate of growth on IPv6 not fast enough?
On 4/20/2010 2:59 PM, Mark Smith wrote: Customers never asked for NAT. Ask the non-geek customer if they went looking for a ISP plan or modem that supports NAT and they'll look at you funny. Ask them if they want to share their Internet access between multiple devices in their home, without having to pay extra for the privilege and they'll say yes. -- ... and that's just a little bit of history repeating. -- Propellerheads Improve the effectiveness of your Internet presence with a domain name makeover!http://SupersetSolutions.com/
Re: Rate of growth on IPv6 not fast enough?
Roger Marquis wrote: Thing is, neither of these cheap CPE has UPNP enabled, which leads me to question whether claims regarding large numbers of serverless multi-user game users are accurate. I'd say it's a question for m$. I've seen it break, I've had to reprogram older cpe's that didn't have uPNP enabled to get customers working. I base my assertions on personal experience of managing a medium sized ISP. I should have been clearer, apologies. WRT LSN, there is no reason individual users couldn't upgrade to a static IP for their insecurely designed multi-user games, and no reason to suspect John Levine's ISP is not representative with 0.16% of its users requesting upgrades. It's not representative of my ISP, though my 30,000 consumers (we'll ignore more business accounts) may be too small to be indicative of larger networks. Jack
Re: Rate of growth on IPv6 not fast enough?
valdis.kletni...@vt.edu wrote: (Yes, defense in depth is a Good Thing. But that external firewall isn't doing squat for your security if it actually accepts uPNP from inside.) In this case we are referring to uPNP functionality at a LSN level. uPNP as it sits will not work at all, and security in this case refers not to the customer but to the ISP's router/server performing this service. Jack
