Stewart Stremler wrote:
Bad protocols. They should be fixed. Easier to change protocols than
infrastructure. (It's not like the concept of _ports_ was new, or proven
useless. Sheesh.)
Yes, NAT is a bad protocol. I agree; it should be fixed. ;}
There is *NO* way to traverse symmetric NAT's reliably. *NONE*
Fortunately, many NAT's are now doing cone-type translation which can be
traversed reliably.
Too many people are equating NAT with "firewall" since it stops the
majority of low-hanging port scan exploits.
Obviously, the easy solution is to build NAT boxes that can be plumbed
with multiple IPs, and then allow "forwarding" to be allowed on a
per-IP as well as a per-port basis. (Presumably a soekris box could
do this easily.) Once this is "common functionality", the desktop
NAT boxen can do this as well.
No, it's not. Asking the user to do *anything* is an invitation to
security disaster.
Of course, you're then up against the "not enough IPs" problem, so
nothing's really been accomplished. So blaming NAT is just a red
herring... the REAL whining is about how nobody wants to do IPv6.
Aside from the IPv6 geeks. :)
The Asian countries seem to be doing IPv6 just fine, TYVM.
Only in the US does there seem to be strong resistance to IPv6. And it
isn't really at the backbone level, it's at the end provider level.
(I can see an IPv6 world using a unique IP for every service, and every
ethernet device being plumbed with all those IPs... and ports would then
be ignored (probably assumed to be '80'). And this touted as a Good
Thing. I'd want to be convinced of this *before* I do anything to make
this sort of madness fait accompli.)
The big advantage to IPv6 is not in its basic IP-ness. It is in things
like useful broadcast (used for autodiscovery in protocol), quality of
service (this is useful *despite* the misuse by end providers), IP
address mobility, encryption/authentication directly in the protocol, etc.
Unfortunately, this also makes IPv6 quite a bit more complicated. And
lots of people do not want to see it rolled out until this stuff is
right since it is likely to be the *only* protocol change for another 30
years+.
-a
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
