--On tirsdag, juni 17, 2003 19:33:24 -0700 Hallam-Baker, Phillip
[EMAIL PROTECTED] wrote:
On Tuesday, June 17, 2003, at 11:51 AM, Hallam-Baker, Phillip wrote:
The key in my view is to work on the NAT vendors, instead
of viewing
NAT
boxes as an obstacle they should be seen for what they
Hi,
I do not think this WG should be chartered.
On Tue, 17 Jun 2003, The IESG wrote:
1. Virtual Private LAN Service (VPLS)--L2 service that emulates LAN
across an IP and an MPLS-enabled IP network, allowing standard
Ethernet devices communicate with each other as if they
--On tirsdag, juni 17, 2003 11:52:45 +0100 Tim Chown [EMAIL PROTECTED]
wrote:
Fair point. But a year ago we didn't have Abilene, GEANT or a large
number of European NRENs offering a native IPv6 service. Cisco and
Juniper's support has come on in leaps and bounds, and now we do see US
and
On woensdag, jun 18, 2003, at 04:33 Europe/Amsterdam, Hallam-Baker,
Phillip wrote:
I really wish that the IETF had designed a decent NAT box spec rather
than adopting the ostrich position.
http://www.ietf.org/html.charters/nat-charter.html
--On tirsdag, juni 17, 2003 09:39:17 -0600 Vernon Schryver
[EMAIL PROTECTED] wrote:
I've not noticed any real opposition to at least open archiving of
moderation rejections. Is there anything that needs to be done to
make this an official recommendation, IESG policy, or whatever?
IETF mailing
Pekka,
why?
I can think of some possible reasons, not necessarily exclusive
- this is a bad idea/impossible to do well, so we shouldn't do it
- some other organization is already doing it, so we shouldn't
- we're too stupid to get it right, so we shouldn't do it
- the IETF is too large, so we
On Tue, 2003-06-17 at 07:52, [EMAIL PROTECTED] wrote:
I think the original idea was better - to only have web archive of those
posts that did not make it through to the main list...
The downside of this approach, though, is that one would lose the
context in which the discarded message was
*
* I can think of some possible reasons, not necessarily exclusive
*
* - this is a bad idea/impossible to do well, so we shouldn't do it
* - some other organization is already doing it, so we shouldn't
* - we're too stupid to get it right, so we shouldn't do it
* - the IETF is too
I really wish that the IETF
had designed a decent NAT box spec
that's an oxymoron. the basic premis of NAT is fundamnetally broken.
Pekka,
On Wed, 18 Jun 2003, Harald Tveit Alvestrand wrote:
I can think of some possible reasons, not necessarily exclusive
- this is a bad idea/impossible to do well, so we shouldn't do it
Yes to both.
As a meaningless response, I could just say - it's a good idea. And it is
possible
Not at all.
If you want to address denial of service issues you need protocol
enforcement points.
The INTERnet is a bidging architecture between networks. Lets put asside the
dogma and build the infrastucture the users need.
-Original Message-
From: Keith Moore
Sent: Wed Jun 18
We're doing it.
That's an uh-oh comment. It's very common to hear people
say that the IETF doesn't know how to say no to new work.
I think the real problem is that many people bringing new
work to the IETF don't know how to accept being told no
and it leads to harass-a-thons of the IESG on the
The difference between denial of service and policy enforcement
is primarily a question of authorization. Since the people who
install NAT generally own the networks in question, characterizing
NAT as a DoS attack doesn't really seem right.
Well, yeah, but ... NAT is far too crude in its
Keith Moore [EMAIL PROTECTED] writes:
similarly, people who install NAT usually don't realize how much this
costs them in lost functionality and reliability.
Really? You have evidence of this?
the evidence I have is from reading vendor advertisements for NAT boxes,
and from talking to
On 6/18/2003 1:18 PM, Melinda Shore wrote:
We're doing it.
...the real problem is that many people bringing new
work to the IETF don't know how to accept being told no
and it leads to harass-a-thons of the IESG on the one hand
and dubious work on the other.
:-) :-)
I agree.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- we must not overload routing protocols and such infrastructure
(IMHO,
this seems an inevitable path the work would go towards..)
If you use LDP, it is NOT a routing protocol. The specific mode of use
(targeted LDP) is already described in
On Wednesday, June 18, 2003, at 12:59 PM, Hallam-Baker, Phillip wrote:
Not at all.
If you want to address denial of service issues you need protocol
enforcement points.
This sounds like you are equating a NAT box with a firewall, which
seems to be common.
I would like to know:
- Is a NAT box
NAT is a denial of service attack, not a means of policy enforcement.
I wonder if NAT is to ietf discussions as Nazis was
to Usenet discussions.
That is, will every heated IETF debate eventually lead to
invoking the NAT bogyman?
And if that where to be true, would the corollary apply
that the
On Tuesday, June 17, 2003, at 12:17 PM, Bob Braden wrote:
* Create a document-based thread rather than a WG-based or
* mailing-list-based thread. Patches could also be posted and
revision
* history (changes between revisions) would be easier to keep track
of.
* People who have negative
Once you have
decided to have a firewall in place (which you may think is evil, but
I consider pretty much a necessary evil)
If by firewall, you mean a box that can perform policy enforcement
then I don't think that many people in the IETF would think that's an
evil thing. The problem is more
Eric Rescorla writes:
Keith Moore [EMAIL PROTECTED] writes:
similarly, people who install NAT usually don't realize how much this
costs them in lost functionality and reliability.
Really? You have evidence of this?
I don't either, but my intuition is that you're wrong. Once you
Keith Moore [EMAIL PROTECTED] writes:
the evidence I have is from reading vendor advertisements for NAT
boxes, and from talking to people who run networks that use NAT.
it's not a random sample, perhaps not a statistically significant
one, but it's been enough to convince me
On Monday, June 16, 2003, at 11:05 PM, John C Klensin wrote:
small enterprise and SOHO multihoming may turn out to be one of the
driving applications for IPv6. If we get our act sufficiently
together...
Absolutely. This and the peer2peer advantages sound to me like the most
obvious drivers
The IETF does continue to have an emphasis on connectionless,
packet-oriented delivery. That's our fundamental architecture, without
question. In the meantime there are customers who want to transition to
c, p-o d but need mechanisms for doing so.
Personally I'd find this proposal more
of course. but you can perhaps understand why I don't consider your
intiution to the contrary convincing either?
Yes, but I'm not the one calling widely sold and deployed network
devices Denial of service attacks.
Just for comparison against Phil's use of the term. It's not how I
What applications that people want to run--and the IT managers would
want to enable--are actually inhibited by NAT? It seems to me that
most of the applications inconvenienced by NAT are ones that IT
managers would want to screen off anyway.
Not really. For example, ftp as originally defined
I think it would be more accurate to say that a NAT contravenes
the basic Internet prnciple of universal connectivity.
well, if we're going to try to get accurate (or even precise) I'd
venture that the basic principle being contravened is not universal
connectivity, but separation of function
on 6/18/2003 1:31 PM Eric Rescorla wrote:
What applications that people want to run--and the IT managers would
want to enable--are actually inhibited by NAT? It seems to me that most
of the applications inconvenienced by NAT are ones that IT managers
would want to screen off anyway.
Oracle
When customers of retail Internet service start demanding a NAT
standard, then that's when the IETF might want to think about
documenting the standard that the market seems to want.
here's the only thing that a NAT standard should say:
an intermediary MUST NOT alter the source or
If you use LDP, it is NOT a routing protocol. The specific mode of use
(targeted LDP) is already described in RFC 3036. The FECs are
different, but
the FEC TLV was defined in such a way as to be extensible.
And when you want to do this inter-domain? Everything else seems to
have
Paul,
At 10:15 AM +0200 6/18/03, Harald Tveit Alvestrand wrote:
I can think of some possible reasons, not necessarily exclusive
- this is a bad idea/impossible to do well, so we shouldn't do it
- some other organization is already doing it, so we shouldn't
- we're too stupid to get it
Melinda,
As a process kind of thing, I'm also concerned about the
growth of the temporary sub-IP area, so I think there are
issues here with both the work itself and in how the IETF
goes about taking on and structuring its work.
And proposals have been made to dismantle the SUBIP area and
On woensdag, jun 18, 2003, at 21:17 Europe/Amsterdam, Bob Braden wrote:
Since 1980 we have believed that universal connectivity was one of the
great achievements of the Internet design. Today, one must
unfortunately question whether universal connectivity can be sustained
(or is even the right
Bob Braden writes:
Since 1980 we have believed that universal connectivity was one of the
great achievements of the Internet design. Today, one must
unfortunately question whether universal connectivity can be sustained
(or is even the right goal) in a networking environment without
Did anyone decide there was an error here, or is this draft really in IETF last
call?
Thanks
Adrian
- Original Message -
From: Adrian Farrel [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Friday, June 13, 2003 5:23 PM
Subject: Re: Last Call: LDP DoD
From: Keith Moore [EMAIL PROTECTED]
that's an oxymoron. the basic premis of NAT is fundamnetally broken.
Just out of interest, do you complain about gravity too?
We lost our chance to avoid NAT's when variable length addresses were removed
from TCPv2.5 (IIRC the version number
NAT is a denial of service attack, not a means of policy
enforcement.
I wonder if NAT is to ietf discussions as Nazis was
to Usenet discussions.
That is, will every heated IETF debate eventually lead to
invoking the NAT bogyman?
The national socialist party is (hopefully) a thing of
That is how we got here. Ignore it, hope it will go away.
What I am suggesting is that there is no reason nat had to reusult in being
on the interNOT rather than the internet.
Further folk are going to buy these and put them at the border of their home
networks.
Trying to secure end point
The IAB has talked about NAT. A WG has produced a bunch of
RFCs about NAT. NAT is very widely deployed and comes in
10 different flavors. NAT has a bunch of architectural
ugliness and technical problems. So?
How about some lemonade? An Internet draft that says
something new about NATs
Eric Rescorla [mailto:[EMAIL PROTECTED] wrote:
similarly, people who install NAT usually don't realize how much this
costs them in lost functionality and reliability.
Really? You have evidence of this?
I don't either, but my intuition is that you're wrong. Once you have
decided to have a
First of all, for the purists : I apologize for this simplified explanation
of what firewalls are. I guess we could start a very long thread about
firewalls and NATs, but the idea is to give a (somewhat) short answer (maybe
over-simplified) to some short questions asked by Simon Woodside (see
What I am suggesting is that there is no reason nat had to reusult in
being on the interNOT rather than the internet.
you're simply wrong about that, at least for anything resembling today's
NATs. except for a shortage of IPv4 addresses, NATs would not be
needed at all. (yes, they're sold
The IAB has talked about NAT. A WG has produced a bunch of
RFCs about NAT.
the WG ended up being full of NAT vendors trying to legitimize NAT
(and grossly exceeding the bounds of their charter in the process)
How about some lemonade? An Internet draft that says
something new about NATs
Iljitsch van Beijnum writes:
On woensdag, jun 18, 2003, at 21:17 Europe/Amsterdam, Bob Braden wrote:
Since 1980 we have believed that universal connectivity was one of the
great achievements of the Internet design. Today, one must
unfortunately question whether universal
Keith Moore [EMAIL PROTECTED] writes:
I don't know enough about how you're doing your distributing computing
to have an opinion, but as for the other two... In my experience,
IT managers are pretty unhappy punching holes in their firewalls
for incoming SIP and IPsec, whether they run NAT
We lost our chance to avoid NAT's when variable length addresses were
removed from TCPv2.5 (IIRC the version number correctly).
or maybe when IAB was shot down after Kobe :)
NAT's are here, like it or not, and the only question is how to make
lemonade out of them.
see my other comment
Melinda Shore [EMAIL PROTECTED] writes:
What applications that people want to run--and the IT managers would
want to enable--are actually inhibited by NAT? It seems to me that
most of the applications inconvenienced by NAT are ones that IT
managers would want to screen off anyway.
Not
In my experience, IT managers are generally pretty unhappy changing
anything to support their users. People who actually use the
computers or the network are regarded as a nuisance.
Exactly. So, why do you it's NATs that are the cause of users
not getting the things they want, as opposed
Keith Moore [EMAIL PROTECTED] writes:
In my experience, IT managers are generally pretty unhappy changing
anything to support their users. People who actually use the
computers or the network are regarded as a nuisance.
Exactly. So, why do you it's NATs that are the cause of users
At 1:31 PM -0700 6/18/03, Vach Kompella wrote:
- the IETF's track record for this work so far is quite poor
That's not a problem of the ppvpn group only. It is a problem of the IETF.
Generally agree.
I don't need to refresh your memory about IPSec, do I? SKIP, Skeme, Oakley,
IKE. AH or ESP
One of the things I've always find endearing about IETFers is their
utter confidence that whenever the world disagrees with them about the
value of some technical approach, it must be because everyone else in
the world is stupid.
hey, not everyone else is an IT manager :)
investing in nat
[EMAIL PROTECTED] (Michael Thomas) writes:
Voice challenges this assumption to a very large
degree. In fact, I not only want access to 99.99%
of the other nodes on the net willing to speak RTP ...
actually i think you probably don't, or rather, won't.
telemarketing by robot is illegal in
From: Paul Hoffman / IMC [EMAIL PROTECTED]
...
Why do you think that the re-chartered WG will have any more luck
with these than the current one? There are a zillion hardware vendors
and service providers who have reasons to want the dozens of
documents that are in the current WGs, and
Thus spake Iljitsch van Beijnum [EMAIL PROTECTED]
For any particular application and group of users, and in order to
switch over seamlessly, it is necessary that all servers become dual
stack, then clients can switch (without the need to run dual stack) and
after that the servers can drop
Just because I *have* a NAT box to use at home doesn't mean I *like* NAT.
I expect to find deployment of IPv6 at home challenging, in part because I've
already spent my 'five-year-plan' funds on networks for home.
Its the same road-trap digital TV is caught in: people do not rush out and buy
Adrian, folks-
I opened a ticket with the secretariat about this error a couple
of days ago:
[iesg-secretary #8150] Wrong Document Action: draft-ietf-mpls-ldp-dod-restart-00.txt
I will ping them again.
--
Alex
http://www.psg.com/~zinin/
Wednesday, June 18, 2003, 11:56:51 AM, Adrian
On Wed, Jun 18, 2003 03:31:56PM -0400, Melinda Shore allegedly wrote:
The IETF does continue to have an emphasis on connectionless,
packet-oriented delivery. That's our fundamental architecture,
without question. In the meantime there are customers who want to
transition to c, p-o d but
on 6/18/2003 5:37 PM Keith Moore wrote:
you're simply wrong about that, at least for anything resembling
today's NATs. except for a shortage of IPv4 addresses, NATs would not
be needed at all.
...and a routing grid that could handle a squared table size. No use in
opening allocations to
At 12:07 AM 6/19/2003 +, Paul Vixie wrote:
[EMAIL PROTECTED] (Michael Thomas) writes:
Voice challenges this assumption to a very large
degree. In fact, I not only want access to 99.99%
of the other nodes on the net willing to speak RTP ...
actually i think you probably don't, or rather,
Paul,
At 1:31 PM -0700 6/18/03, Vach Kompella wrote:
I'm not sure how to argue with the statement the IETF has done a
horrible job with a similar working group, so we want our working
group in the IETF.
Well, how about, we can't agree on IPv6 numbering schemes, so let's find another
sorry
Which BTW come July 1 becomes illegal in the US with the implementation of
the Federal Trade Commission Do Not Call list.
which country's federal do you mean?
http://www.ftc.gov/bcp/conline/edcams/donotcall/index.html
oh, that one. i guess that means the function will have to move offshore.
From: Paul Vixie [EMAIL PROTECTED]
...
http://www.ftc.gov/bcp/conline/edcams/donotcall/index.html
oh, that one. i guess that means the function will have to move offshore.
THAT'll sure teach those spammers a lesson.
The U.S. FCC wielded the TCPA with reasonable effect against the
People need to understand that the purpose of the Pseudowire stuff (PWE3) is
to enable service providers to offer existing services over IP networks, so
that they can convert their backbones to IP without first requiring that all
their customers change their access equipment. Producing the
Eric,
I agree with most of your post but there is something that you have not
grasped IMHO.
It is true that dissimulating the private (RFC1918?) address does not
achieve much in terms of security: in order to access:
http://arneill-py.sacramento.ca.us/ipv6mh/ you do not need to know nor
care
At 6:43 PM -0700 6/18/03, Vach Kompella wrote:
I'm not sure how to argue with the statement the IETF has done a
horrible job with a similar working group, so we want our working
group in the IETF.
Well, how about, we can't agree on IPv6 numbering schemes, so let's
find another
standards org
On Wed, 18 Jun 2003 16:06:08 PDT, Eric Rescorla said:
Melinda Shore [EMAIL PROTECTED] writes:
Not really. For example, ftp as originally defined doesn't
work through NATs, and no standard VoIP or multimedia
conferencing protocol works through NAT.
None of these things worked real well
[EMAIL PROTECTED] writes:
On Wed, 18 Jun 2003 16:06:08 PDT, Eric Rescorla said:
Melinda Shore [EMAIL PROTECTED] writes:
Not really. For example, ftp as originally defined doesn't
work through NATs, and no standard VoIP or multimedia
conferencing protocol works through NAT.
None
On Wednesday, June 18, 2003, at 03:39 PM, Keith Moore wrote:
I think it would be more accurate to say that a NAT contravenes
the basic Internet prnciple of universal connectivity.
expecting the network
to isolate insecure hosts from untrustworthy attackers, or more
generally, to enforce policy
On Wednesday, June 18, 2003, at 06:28 PM, Tomson Eric ((Yahoo.fr))
wrote:
Now, the fact that masking the internal addresses to the external
world - so that internal hosts can initiate traffic to the outside,
but no
external host can initiate traffic to the inside - brings some basic
security,
I wonder if NAT is to ietf discussions as Nazis was
to Usenet discussions.
You mean NATzis?
simon
^_^
--
www.simonwoodside.com -- 99% Devil, 1% Angel
On Wed, 18 Jun 2003 21:30:35 PDT, Eric Rescorla said:
This seems to me like a false dichotomy. If I were deploying a NAT
(which I didn't) there would be certain things I would care about
and others I didn't. If I'm already firewalling off these services,
why should I care if NAT blocks them?
Hi Bob;-)... And all;-)...
At 12:17 -0700 6/18/03, Bob Braden wrote:
* Keith wrote:
* If you want to address denial of service issues you need protocol
* enforcement points.
*
* NAT is a denial of service attack, not a means of policy enforcement.
*
*
*
Keith,
I think it
On Wed, 18 Jun 2003 21:55:34 PDT, Michel Py said:
I'm sorry but it is nothing near being that simple. Although if it does
not work through a firewall, it MAYBE because the firewall does block a
class of traffic (more likely because someone forgot to punch the right
hole), there are _plenty_
74 matches
Mail list logo