> The UPNP "Internet Gateway Device" working group and the MIDCOM WG effort
> started at about the same time, but the UPNP specification was published
> about 2 years ago, while MIDCOM is not quite finished yet. Looks like an
> interesting case study for the "problem statement" working group...
p
> > It would be interesting to see how much of the IETF's resources are
> > used up by NAT issues.
>
> Probably not as much as needed, actually.
any amount is too much IMHO.
Jonathan,
> Jonathan Hogg wrote:
> Aren't Microsoft already "standardizing" this with their Universal
> Plug and Play (UPnP) architecture?
> I'm a little fuzzy on the details, but I believe the concept is
> that applications that understand this can communicate with the
> router (the NAPT box in
> I agree that NAPT is here for a long time and it would be better to
> work towards controlling it.
in other words, we should keep beating our heads against the wall trying
to solve insurmountable problems.
trying to make NATs work is the modern task of Sisyphus.
> Here, again, is the nub of what we have to deal with:
>
> >> The notion of a system with a single, globally unique namespace
> >at the> lowest level is a really nice one, one we had for a while
> >- and *one> we think we can reclaim*. I now think we've been
> >deluding ourselves;
On 23/6/03 13:27, J. Noel Chiappa wrote:
> The big problem is incoming connections - how do you set up the mappings they
> will need? Wiretapping DNS is ugly, but it doesn't require changing anything
> (for existing applications). On the other hand, if you only want to support
> incoming connectio
> OK, so I'm wrong - and you have nothing to say against NAT if we are only
> proposing to use IPv4+NAT, and have no intention of adding NAT to IPv6?
I'm certainly not going to pretend that NAT doesn't have problems - and when
people argue that NAT is mostly harmless, I'm likely to try to counter
> > the reason I point out the flaws with NAT is not that I think we can
> > get rid of them in v4. it's because some people are still of the
> > belief that NATs are mostly harmless and that we should not only
> > permit them into v6, but extend our architecture to embrace them.
>
> That means that i) NAT+v4 is here to stay, permanently, as the
> packet-forwarding substrate on which we have to live, and ii) many
> "solutions" to the "NAT problem" have a badly faulty key premise -
> which is that the solution will fix IPv4's problems by replacing it.
almost agree. NAT is he
> Since the issue is stable end-points, could something like this be a patch
> for v4 NATs?
since you have to change NATs, apps, and DNS to make this work, you might as
well just use IPv6 - and the changes for v6 are already in the pipeline.
The question: smart terminal or smart network?
I believe in smart terminal. Nothing there suggest you should not run
your firewall or any other filtering software on your end-terminal.
End-machine are vulnerable? Then fixed the end-machine. It isnt rocket
science.
-James Seng
Eric Rescorla wr
> (1) There are some set of problems that users have or
> believe they have.
>
> (2) NAT solves at least some of those problems, at some
> cost (say Cn), both financial and operational and
> that solution has benefit Bn.
>
> (3) The fact that a large number of people have chosen
>
Eric Rescorla wrote:
(2) NAT solves at least some of those problems, at some
cost (say Cn), both financial and operational and
that solution has benefit Bn.
(5) It's also possible that at some time in the future
Cn will exceed Bn, in which case I would expect people
to stop using NAT a
> > so it's not like I haven't actually been working on solving the
> > problem.
>
> I didn't say you haven't been. So, my question at this point is:
>
> (1) If these solutions aren't available, why not?
> (2) If they are available and people don't want them, why not?
it may be too early, and lot
> Yes, I agree, that NAPTs have tons of side effects, and that's a bad
> thing. But, for the average home user on DSL, they have purchased
> millions upon millions of these things. It's a tiny little network and
> they have full control over all the hosts. So for them, the NAPT
> firewalling fun
> > they would switch if they had alternatives available. but people
> > like you keep claiming that alternatives aren't needed because the
> > market has spoken.
>
> Nonsense. I'd love to see an alternative. Obviously, NATS have costs
> and a solution that reduced those costs would be better. Wha
on 6/19/2003 12:59 PM Keith Moore wrote:
>>Yeah, that there's a subset who cares. They got it. The market is
>>working.
>
> the market is dysfunctional. it doesn't always fail to deliver what is
> needed, but it often does.
I wouldn't say that this market is dysfunctional, more that markets a
> > > Doesn't the fact that there's not enough demand for this product
> > > to make it available suggest anything to you?
> >
> > does the fact that there was enough demand for the product that it
> > eventually became available suggest anything to you?
>
> Yeah, that there's a subset who cares.
> Keith, I don't get this argument. A NAPT is a firewall by your own
> definition "I believe the primary purpose of firewalls should be to
> protect the network, not the hosts, from abusive or unauthorized
> usage."
only if the policy that the user wants is exactly what the NAPT
provides. it'
> > until recently the only way I could get even one
> > static IP address for my home was through a special deal with a
> > friend of mine who had a small ISP, and the best bandwidth I could
> > get was 128kbps. none of the other local providers would sell me
> > one.
>
> Doesn't the fact that th
> > certainly the users I deal with are not getting what they want.
> > others seem to be reporting similar experiences.
>
> Then why don't they switch providers.
variety of reasons: often the provider is not the problem, it's the local
network admins, and the users aren't free to go elsewhere.
> If the customers are getting what they want, that seems to me that it
> can hardly be characterized as a "mess". And you have yet to establish
> that they're not getting what they want.
certainly the users I deal with are not getting what they want.
others seem to be reporting similar experience
> > The reason that we are explaining (once again) why NAT sucks is that
> > some people in this community are still in denial about that
>
> The person who's most in denial around here is you - about how definitively
> the market has, for the moment, chosen IPv4+NAT as the best balance b
> My take is that NAT's respond to several flaws in the IPv4 architecture:
>
> - 1) Not enough addresses - this being the one that brought them into
> existence.
> - 1a) Local allocation of addresses - a variant of the preceeding one, but
> subtly different; NAT's do allow you to alloc
> Don't get me wrong, I do not defend NAT. The point I was trying to make
> is this: it is a waste of time to say that NAT sucks. We know it. For
> IPv4, it's too late to change.
The reason that we are explaining (once again) why NAT sucks is that some
people in this community are still in denial
> The NAT working group produced a number of documents. Some explained the
> limitations, while one explained to application writers how to live in the
> real world that includes NATs. Read RFC 3235.
nope, RFC 3235 doesn't explain how to make your applications work in the
presence of NATs. it
on 6/18/2003 10:44 PM [EMAIL PROTECTED] wrote:
>> Melinda Shore <[EMAIL PROTECTED]> writes:
>> None of these things worked real well through firewalls either, which
>> is sort of my point.
> If it doesn't work through a firewall, it's because the firewall is
> doing what you ASKED it to do - bl
If you need a secure zone, and you want a firewall, then should install
a firewall. You should not put an NAT thinking that it is also a firewall.
But I agree with you that NAT is here to stay.
-James Seng
Fleischman, Eric wrote:
Eric Rescorla [mailto:[EMAIL PROTECTED] wrote:
similarly, peopl
Why should the users be limited to what IT managers decide is good or bad?
Internet is build on dumb network, smart terminal. End-users are suppose
to be able to put up their own services, not just running some apps.
This has been the Internet principles and have serves us well so far.
(The tel
on 6/18/2003 5:37 PM Keith Moore wrote:
> you're simply wrong about that, at least for anything resembling
> today's NATs. except for a shortage of IPv4 addresses, NATs would not
> be needed at all.
...and a routing grid that could handle a squared table size. No use in
opening allocations to e
Just because I *have* a NAT box to use at home doesn't mean I *like* NAT.
I expect to find deployment of IPv6 at home challenging, in part because I've
already spent my 'five-year-plan' funds on networks for home.
Its the same road-trap digital TV is caught in: people do not rush out and buy
ev
Thus spake "Iljitsch van Beijnum" <[EMAIL PROTECTED]>
> For any particular application and group of users, and in order to
> switch over seamlessly, it is necessary that all servers become dual
> stack, then clients can switch (without the need to run dual stack) and
> after that the servers can dr
> One of the things I've always find endearing about IETFers is their
> utter confidence that whenever the world disagrees with them about the
> value of some technical approach, it must be because everyone else in
> the world is stupid.
hey, not everyone else is an IT manager :)
investing in nat
> > In my experience, IT managers are generally pretty unhappy changing
> > anything to support their users. People who actually use the
> > computers or the network are regarded as a nuisance.
>
> Exactly. So, why do you it's NATs that are the cause of users
> not getting the things they want, as
> We lost our chance to avoid NAT's when variable length addresses were
> removed from TCPv2.5 (IIRC the version number correctly).
or maybe when IAB was shot down after Kobe :)
> NAT's are here, like it or not, and the only question is how to make
> lemonade out of them.
see my other comment
> The IAB has talked about NAT. A WG has produced a bunch of
> RFCs about NAT.
the WG ended up being full of NAT vendors trying to legitimize NAT
(and grossly exceeding the bounds of their charter in the process)
> How about some lemonade? An Internet draft that says
> something new about NA
> What I am suggesting is that there is no reason nat had to reusult in
> being on the interNOT rather than the internet.
you're simply wrong about that, at least for anything resembling today's
NATs. except for a shortage of IPv4 addresses, NATs would not be
needed at all. (yes, they're sold f
> > NAT is a denial of service attack, not a means of policy
> > enforcement.
>
> I wonder if NAT is to ietf discussions as Nazis was
> to Usenet discussions.
>
> That is, will every heated IETF debate eventually lead to
> invoking the NAT bogyman?
The national socialist party is (hopefully) a
Bob Braden writes:
> Since 1980 we have believed that universal connectivity was one of the
> great achievements of the Internet design. Today, one must
> unfortunately question whether universal connectivity can be sustained
> (or is even the right goal) in a networking environment without
>
on 6/18/2003 1:31 PM Eric Rescorla wrote:
> What applications that people want to run--and the IT managers would
> want to enable--are actually inhibited by NAT? It seems to me that most
> of the applications inconvenienced by NAT are ones that IT managers
> would want to screen off anyway.
Ora
> I think it would be more accurate to say that a NAT contravenes
> the basic Internet prnciple of universal connectivity.
well, if we're going to try to get accurate (or even precise) I'd
venture that the basic principle being contravened is not universal
connectivity, but separation of function
> > of course. but you can perhaps understand why I don't consider your
> >
> > intiution to the contrary convincing either?
>
> Yes, but I'm not the one calling widely sold and deployed network
> devices "Denial of service attacks".
Just for comparison against Phil's use of the term. It's no
*>
*> > If you want to address denial of service issues you need protocol
*> > enforcement points.
*>
*> NAT is a denial of service attack, not a means of policy enforcement.
*>
*>
*>
Keith,
I think it would be more accurate to say that a NAT contravenes
the basic Internet pr
> > the evidence I have is from reading vendor advertisements for NAT
> > boxes, and from talking to people who run networks that use NAT.
> > it's not a random sample, perhaps not a statistically significant
> > one, but it's been enough to convince me personally that the
> > delusion is widespre
> > similarly, people who install NAT usually don't realize how much this
> > costs them in lost functionality and reliability.
> Really? You have evidence of this?
the evidence I have is from reading vendor advertisements for NAT boxes,
and from talking to people who run networks that use NAT. i
> > NAT is a denial of service attack, not a means of policy enforcement.
>
> I don't think this is really accurate.
>
> The difference between denial of service and policy enforcement
> is primarily a question of authorization. Since the people who
> install NAT generally own the networks in que
> If you want to address denial of service issues you need protocol
> enforcement points.
NAT is a denial of service attack, not a means of policy enforcement.
> I really wish that the IETF
> had designed a decent NAT box spec
that's an oxymoron. the basic premis of NAT is fundamnetally broken.
> At the start of the GOSIP nonsense, that might have been a reasonable
> charge. By the middle, there were at least as many ISO OSI
> applications as there are now IPv6 applications, and there was a
> lot of real OSI traffic in Europe. (A "lot" for that era if not
> today.) Major host vendors w
> From: Harald Tveit Alvestrand <[EMAIL PROTECTED]>
> ...
> The difference I see between GOSIP and the US DoD announcement is that
> GOSIP was an attempt to bring something into existence by buying it; the US
> DoD IPv6 announcement says that they have evaluated something that exists,
> and fou
On Tuesday, June 17, 2003, at 11:05 AM, Ronald van der Pol wrote:
Why
would we want an internet with two protocols with the same
functionality
running in parallel?
they don't have the same functionality.
TED]
> Sent: Tuesday, June 17, 2003 2:10 PM
> To: Hallam-Baker, Phillip
> Cc: [EMAIL PROTECTED]
> Subject: RE: myth of the great transition (was US Defense Department
> formally adopts IPv6)
>
>
> Phill,
>
> > Hallam-Baker, Phillip
> > Simply repeating
On dinsdag, jun 17, 2003, at 17:05 Europe/Amsterdam, Ronald van der Pol
wrote:
There is a big difference between planning/engineering for a transition
and planning/engineering for a coexistance. There seem to be forces
trying to steer to the latter. Seems like an important question. Why
would we
Phill,
> Hallam-Baker, Phillip
> Simply repeating the end to end dogma is not going to provide
> a solution. The internet people are using is not end to end.
> NAT boxes and firewalls play an important and necessary
> security role. We need a standard for a superNAT box that
> provides both securi
Ronald,
RvdP> There is a big difference between planning/engineering for a transition
RvdP> and planning/engineering for a coexistance. There seem to be forces
RvdP> trying to steer to the latter. Seems like an important question. Why
RvdP> would we want an internet with two protocols with the sam
]
Subject:Re: myth of the great transition (was US Defense Department
formally adopts IPv6)
On Tue, Jun 17, 2003 at 08:05:23 -0400, Keith Moore wrote:
> I see it as a transition also. But I think there will be a long period
> in which v6 is used mostly for new things, and only when v6 i
> % > If you want to keep running IPv4, with or without NAT,
> % > feel free.
> %
> % That's exactly what people will do, until and unless they encounter
a
> % problem with IPv4 that can only be solved by IPv6.
>
> Your sweeping generalization does not ring true.
>
> However with a wi
Title: myth of the great transition (was US Defense Department formally adopts IPv6)
If you think of IPv6 as an end to end
technology that can gracefully ride on top of the global IPv4 ISP provided
infrastructure, you don't have to have the "Internet Infrastructure" tran
On Tue, Jun 17, 2003 at 08:05:23 -0400, Keith Moore wrote:
> I see it as a transition also. But I think there will be a long period
> in which v6 is used mostly for new things, and only when v6 is more
> ubiquitious than v4 will we see some of the core services migrate.
There is a big differenc
% Tim writes:
%
% > But a year ago we didn't have Abilene, GEANT
% > or a large number of European NRENs offering
% > a native IPv6 service.
%
% A year ago, my parents weren't using IPv6, whereas today ... they still
% aren't using it. When their connection is IPv6, I'll know that it has
% arriv
Tim writes:
> But a year ago we didn't have Abilene, GEANT
> or a large number of European NRENs offering
> a native IPv6 service.
A year ago, my parents weren't using IPv6, whereas today ... they still
aren't using it. When their connection is IPv6, I'll know that it has
arrived.
The more perv
> From: Tim Chown <[EMAIL PROTECTED]>
> But a year ago we didn't have ... Things are moving on.
Got a big stack of these too.
Noel
On Tue, Jun 17, 2003 at 06:25:59AM -0400, J. Noel Chiappa wrote:
> > From: Tim Chown <[EMAIL PROTECTED]>
>
> > We hear Sony saying all consumer networked appliances will support IPv6
> > by 2005. We hear MS talk about IPv6 for pervasive collaborative
> > communication
>
> I wish I
> From: Tim Chown <[EMAIL PROTECTED]>
> We hear Sony saying all consumer networked appliances will support IPv6
> by 2005. We hear MS talk about IPv6 for pervasive collaborative
> communication
I wish I could get $10 for every time I heard one of these predictions. I've
got a huge
On Tue, Jun 17, 2003 at 11:27:18AM +0200, Ronald van der Pol wrote:
> On Mon, Jun 16, 2003 at 21:39:03 -0400, Keith Moore wrote:
>
> > There isn't going to be a great transition to IPv6 in the sense that
> > you seem to mean. IPv4 and IPv6 will coexist for a long time.
>
> Yes, but I am afraid
On Mon, Jun 16, 2003 at 21:39:03 -0400, Keith Moore wrote:
> There isn't going to be a great transition to IPv6 in the sense that
> you seem to mean. IPv4 and IPv6 will coexist for a long time.
Yes, but I am afraid that underestimates the overhead of running
dual stack.
o address administratio
On dinsdag, jun 17, 2003, at 05:05 Europe/Amsterdam, John C Klensin
wrote:
The incentive for IPv6 adopters is obvious - they'll use IPv6
to do things they cannot do with IPv4.
Obviously that would be a very good reason to adopt IPv6, but due to
the ever evolving hacks in IPv4 there is very litt
67 matches
Mail list logo