Re: Netmeeting - NAT issue
Keith Moore [EMAIL PROTECTED] schrieb/wrote: the technical solutions exist. what is needed is for more OS vendors to support v6 (and 6to4 on the host). What we do need are killer applications. Just imagine what would happen if Quake IV required IPv6[1]. ;-) Claus [1] and came with everything you need to make your host IPv6- capable, of course. -- http://www.faerber.muc.de/ OpenPGP: DSS 1024/639680F0 E7A8 AADB 6C8A 2450 67EA AF68 48A5 0E63 6396 80F0
RE: Netmeeting - NAT issue
Aaron Falk wrote: I think one can make the case that having border protection may prevent a DOS attack from consuming interior network resources and allowing interior hosts to communicate amongst themselves. And if your interior network resources are less than 10x your external resource, you have an unusual network indeed. Yes it may be more convenient to have the border deal with DOS, but is it *required* as Noel asserted? We've recently had some fierce DOS attacks on our ISP but I'm still able to run NFS without a problem. This is a good thing. NFS 'good thing' are a matter of personal opinion. In any case if NFS has trouble running when it has less than 90% of the interior resource, one might have to question which set of packets should be defined as the DOS. Tony
RE: Netmeeting - NAT issue
From: Tony Hain [EMAIL PROTECTED] it may be more convenient to have the border deal with DOS, but is it *required* as Noel asserted? First, there's good idea, required, and *required*. It's *required* that your computer have a test-and-branch instruction to be a Turing machine. It's not *required* that it have a jump instruction, but all computers do - so it're pretty much required in a machine architecture. An example of good idea would be lots of registers - most machines have that, but not all. Etc, etc. I never said it was *required* to have some security functions at the border - merely that it was likely to happen for a variety of reasons (e.g. policy enforcement in a large organization). I think my meaning was somewhere between good idea and required (as defined above) - I don't know exactly where. Second, when I made my statement about security alone demands that we be able to move some functionality to a 'site border router', or some such, I was speaking of security stuff in general, not DoS protection in particular. I think there are different kinds of DoS attacks (I actually created a taxonomy of DoS attacks for a research effort I'm involved with), and I expect that different DoS attacks will need different mechanisms to handle them (i.e. in the most efficient and robust manner - bearing in mind the old adage that and engineer is someone who can do for $1 what any fool can do for $5). I suspect that some might be at the borders, some might be at the servers - but that's my intuition. But DoS is still a very limited corner of security. Noel
Re: Netmeeting - NAT issue
On Thursday, March 21, 2002, at 06:15 PM, [EMAIL PROTECTED] wrote: Of course, there is the possibility that if they were totally honest, and marketed their devices as Enabling appliances for selected Internet services that they'd STILL make money (and then you'd have no one to blame). Please read the warning below and keep NAT products away from kids and children who are not old enough to understand the risks of network address translation: INTERNET ARCHITECTURE BOARD WARNING: Using Network Address Translators Causes Loss of Routing Transparency and may Complicate Application Protocol Interoperability in the Internet. Thank you! -- j h woodyatt [EMAIL PROTECTED] please network responsibly.
Re: Netmeeting - NAT issue
See the problem? Lots of That is not the problem, THIS is the REAL problem and all too few doable solutions. Throwing rocks is easy. Catching them is harder. -- James W. Meritt CISSP, CISA Booz | Allen | Hamilton phone: (410) 684-6566
Re: Netmeeting - NAT issue
But what do U say about people using it at home SOHO One is not going to buy 3 IP's if someone tries to use it at home. The objective is to make Internet accessible to everybody at the least $ out of pocket. We should not forget that. Vivek - Original Message - From: Keith Moore [EMAIL PROTECTED] To: Harald Koch [EMAIL PROTECTED] Cc: Keith Moore [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, March 19, 2002 9:10 PM Subject: Re: Netmeeting - NAT issue I think you missed the important point. It's not the NAT vendors, it's the ISPs. I'll grant that ISPs have something to do with it. But there is a shortage of IPv4 addresses, so it's not as if anybody can have as many as they want. And it's not the fact that people are selling NAT that I find objectionable, it's the fact that they are marketing them as a general purpose solution - misleading people about their applicability - rather than a stopgap measure. Keith
Re: Netmeeting - NAT issue
From: Peter Deutsch [EMAIL PROTECTED] And if your objection to NATs ended there, I wouldn't have a problem with it. But instead of then working to change the protocols that break with NATs, you continue to insist, Canute-like, that you can turn back the tides and move the world back to a pre-NAT world. The protocols that break in the presence of NATs are not illegitimate, badly-designed protocols. Simplicity is good, but sometimes complex problems really do call for complex solutions. Aside from that, consider the problem of running a server. I'm very comfortable with identifying NAT as a problem. I'm far less comfortable with the STOP BREAKING MY INTERNET thing. Melinda
Re: Netmeeting - NAT issue
On Wed, Mar 20, 2002 at 08:23:15AM -0800, Tony Hain wrote: My question was directed at Noel's assertion that security requires a site border router as the implementation. Just because that may be cheaper than fixing all the current hosts, wouldn't we be better off in the long run if all future hosts protected themselves? Tony- I think one can make the case that having border protection may prevent a DOS attack from consuming interior network resources and allowing interior hosts to communicate amongst themselves. We've recently had some fierce DOS attacks on our ISP but I'm still able to run NFS without a problem. This is a good thing. ---aaron
Re: Netmeeting - NAT issue
Ok, I have to say something. I agree that NATs are evil, and *should* not exist. But, since ISP's currently charge tons of money for more than one IP address, they always *will* exist. Maybe IPv6 will fix all that . . . . we can only pray . . . -- David Frascone Reality is for those who can't handle Star Trek.
Re: Netmeeting - NAT issue
On Mon, 18 Mar 2002 21:00:22 PST, Peter Ford [EMAIL PROTECTED] said: I would love to see the complete solution to signaling all the potential blocking intermediate hops in the network that specific traffic should pass. I would love to see the complete *SECURE* solution to signaling all the potential blocking intermediate hops in the network that specific traffic should pass. Some of us deploy firewalls in order to stop our systems from being able to contact the ourside world if they get trojaned. Opening a port just because a UPNP device says pretty please works against that... -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech msg07895/pgp0.pgp Description: PGP signature
Re: Netmeeting - NAT issue
On Tue, 19 Mar 2002 08:40:02 CST, David Frascone said: I agree that NATs are evil, and *should* not exist. But, since ISP's currently charge tons of money for more than one IP address, they always *will* exist. Bad logic. They won't always will. They will as long as ISPs have the current rate structure. Correlate the number of cell phones with the change in pricing structure over the last few years -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech msg07896/pgp0.pgp Description: PGP signature
Re: Netmeeting - NAT issue
OK, but that does not solve the problem where the NATs are mostly deployed -- home and SOHO -- until all internet servers of interest to those users speak IPv6. Can be upgraded to do so is great if you control the server, but these users don't. So Yahoo, Google, etc can be pursuaded to upgrade, maybe... and the home/SOHO user using the setup below does a search. Many of the hits will be IPv4 only sites, and we are back to NAT. Don't get me wrong, this is a good migration path and should be pushed as much as possible, but it is not as fast as your message implies. --On Tuesday, March 19, 2002 11:37 -0500 Keith Moore [EMAIL PROTECTED] wrote: Maybe IPv6 will fix all that . . . . we can only pray . . . easily fixed. get a single IPv4 address, assign it to a 6to4 router that's installed at your border, and put up to 2**80 hosts (okay, 2**16 hosts if you use stateless autoconfig) behind it. you can then get to any of those hosts from any another machine that speaks IPv6. if those machines don't speak IPv6, they can often be upgraded to do so. if they don't have IPv6 connectity, they can get it using 6to4. Hans Kruse, Associate Professor J. Warren McClure School of Communication Systems Management Ohio University, Athens, OH, 45701 740-593-4891 voice, 740-593-4889 fax
Re: Netmeeting - NAT issue
in a just world, the NAT vendors would all be sued out of existence for the harm they've done to the Internet. in the real world, if you can hire a famous personality to advertise your product on TV, then by definition it must work well. The last time I was this hard-headed about a technology I thought was a bad idea technically, the company I was associated with never really recovered (although there were other problems too). notice I did say in a just world. I don't pretend that this world is just. If you want to make money, you have to understand that the economic environment we live in favors those who do harm. You can choose whether or not to do harm (and to what degree), but it doesn't help to pretend that the market will reward you for doing good. Deal with it. likewise. Keith
Re: Netmeeting - NAT issue
OK, but that does not solve the problem where the NATs are mostly deployed -- home and SOHO -- until all internet servers of interest to those users speak IPv6. Can be upgraded to do so is great if you control the server, but these users don't. true enough. fortunately, NAT doesn't interfere much with www and email, and a few other common services, so NATted v4 works okay to access these. IMHO v6 will mostly be used to talk between things that don't work with NAT. for those things, it's worth it to upgrade the hosts. and 6to4 relives some of the immediate requirement to upgrade the net. Keith
Re: Netmeeting - NAT issue
everyone-- I know this is a frequent source of heated discussion, and that much has already been said that doesn't need to be repeated here, but I *just* *can't* *let* *this* *go* unchallenged. - On Tuesday, March 19, 2002, at 08:26 AM, Keith Moore wrote: [...] in a just world, the NAT vendors would all be sued out of existence for the harm they've done to the Internet. in the real world, if you can hire a famous personality to advertise your product on TV, then by definition it must work well. [...] The harm done to the growth potential of the Internet by the widespread deployment of NAT routers is not the fault of the people who make them. That there is a profitable business to be made in selling NAT appliances to non-technical Internet users is *not* the root cause of the problem. It's a symptom, and I think the IETF would do very well to think long and hard about how to solve the real problem illustrated by the ubiquity of NAT routers in residential settings: strategic opposition to the end-to-end architecture among large retail Internet service providers. The first thing I would suggest is to sit back and contemplate whether the situation bears any resemblance to other problems in which the user population engages in behavior that results in short-term personal benefit in exchange for long-term harm to the welfare of society. In fairness, I should disclose that I am currently employed by a company that sells-- among other fine products-- a home gateway appliance with a NAT routing function; also, my responsibilities include integrating the library of ALG implementations it offers. So, yes-- I've been having this debate with myself for years. I very much wish there were a profitable business to be made selling home gateway appliances with IPv6 and 6to4 support, but I also very much wish that Afghan farmers could make a living growing wheat instead of opium. Sadly-- there is not much business to be made that way today, and whether there will be a thriving business there in the near future remains a very open question. -- j h woodyatt [EMAIL PROTECTED]
Re: Netmeeting - NAT issue
The first thing I would suggest is to sit back and contemplate whether the situation bears any resemblance to other problems in which the user population engages in behavior that results in short-term personal benefit in exchange for long-term harm to the welfare of society. granted there are numerous instances of this. but it seems disingenuous to blame the NAT problem on users when the NAT vendors are doing their best to mislead users about the harm that NAT does.
RE: Netmeeting - NAT issue
Keith, In a just world, people freely purchase the things they want and believe solves a real world problem for them. The Internet has grown at an incredible rate and I suspect in large part due to NATs. I wonder if the Internet would sue the NAT vendors, or thank them for establishing a broader customer base, especially customers who pay for broadband? (in the u.s. they would certainly be honored for accomplishments and sued! ) I would like to close this discussion with: the Internet has v6 coming in the pipeline, and the AT of NATs will go probably go away as a result. apps in general need transparent connectivity amongst peers, but the tacit assumption that all an app has to do is send a packet is not realistic and things will just work is unrealistic. In other words, NATs becoming personal firewalls is a growth market. Like almost every other resource, the network is something that will be managed, inspected, measure, and controlled by some policy. This will be manifested in a collection of protocols from the host asking the network to do things. MobileIP is an example, authenticated firewall traversal is another. I predict you will see what some have called the remote bind problem of opening holes in firewalls and NATs for listening services behind firewalls to be an important protocol to get nailed. The extent to which we can help people NOT be firewall admins, the better off we all will be. I would not be wasting my time sending mail to this list if I did not suspect the IETF knew where the problems are. What I am hoping will arise is action and results. Cheers, peterf P.S. lighten up. We will get v6 tunneled over v4 over NATs as well. What bliss!
Re: Netmeeting - NAT issue
Of all the gin joints in all the towns in all the world, Keith Moore had to walk into mine and say: granted there are numerous instances of this. but it seems disingenuous to blame the NAT problem on users when the NAT vendors are doing their best to mislead users about the harm that NAT does. I think you missed the important point. It's not the NAT vendors, it's the ISPs. I have 6 computers at home. I'd be perfectly happy to have a /28 or so of address space routed for me by my ISP, but I would have to upgrade from the residential $40/month connection to the business $500/month to do so. I'll think I'll buy a $130 Linksys box and pocket the savings, thank you very much. I understand the limitations of NAT environments, having built two commercial ALG firewalls and maintained several linux based ones for my friends. I just don't really have any choice. My ISP doesn't offer IPv6 (and won't for the foreseeable future). I do have an IPv6 tunnel from a tunnelbroker, and I do run 6to4, but that doesn't connect me to very much. (All $ are Canadian. :-) -- Harald Koch [EMAIL PROTECTED] It takes a child to raze a village. -Michael T. Fry
Re: Netmeeting - NAT issue
On Tuesday, March 19, 2002, at 01:10 PM, Keith Moore wrote: [I wrote:] The first thing I would suggest is to sit back and contemplate whether the situation bears any resemblance to other problems in which the user population engages in behavior that results in short-term personal benefit in exchange for long-term harm to the welfare of society. granted there are numerous instances of this. but it seems disingenuous to blame the NAT problem on users when the NAT vendors are doing their best to mislead users about the harm that NAT does. I did not mean to imply that my employer's customers are to blame for the NAT problem, or to excuse the NAT vendors (including my employer) who mislead their customers about the harm caused by NAT routers. In the sentence immediately before the one you quoted, I expressed the following opinion (admittedly, as if it were fact): [...] the real problem illustrated by the ubiquity of NAT routers in residential settings: strategic opposition to the end-to-end architecture among large retail Internet service providers. I could be wrong about this, but I really believe this is the root cause of the NAT problem, not ignorant users or self-interested appliance vendors. -- j h woodyatt [EMAIL PROTECTED]
Re: Netmeeting - NAT issue
From: Keith Moore [EMAIL PROTECTED] it seems disingenuous to blame the NAT problem on users when the NAT vendors are doing their best to mislead users about the harm that NAT does. Oh, piffle. NAT's don't harm the Internet, any more than a host of other things: invisible Web caches, ISP packet filtering (I can't run an SMTP server because my cable ISP are a bunch of fascist morons, so I have to run 'fetchmail' instead - which generates *more* traffic - but I digress), etc, etc. Many of those are far more problematic *in practise*, but don't seem to generate anything like as much heat. (And I won't even get into policy stupidity relating to the Internet, such as the way in which some large commercial entities are using trademark and copyright law, the DMCA, etc as blunt instruments to bulldoze small players - the ToysRUs attack on the people running BondageToysRUs being merely the latest example to come to my attention.) There are a number of good technical reasons for down-marking NAT's, but they aren't as terminally serious as some people claim, looked at from a far-off stance. E.g. they do increase the fragility of the network, by moving state away from the endpoints. However, the pure end-end model (where all the intelligence is in the endpoints, and everything in the middle is dumb as a post) is too simple for today's network anyway - security alone demands that we be able to move some functionality to a site border router, or some such. And in practise, the fragility of my NAT box is far less than the fragility of the routing - something that nobody seems to be anything like as greatly exercised by. So I discount that one. Etc, etc. All of which leads me to a simple conclusion: one big reason that you and any number of other people are upset about NAT's has nothing to do with their technical shortcomings. Rather, what gets people so aggravated is that they are killing off the preferred alternative. About which, let me also observe that that alternative is (in effect) a return to a misty golden age where IPvN was carried everywhere with no interference. Well, those days are gone forever. Noel
Re: Netmeeting - NAT issue
I think you missed the important point. It's not the NAT vendors, it's the ISPs. I'll grant that ISPs have something to do with it. But there is a shortage of IPv4 addresses, so it's not as if anybody can have as many as they want. And it's not the fact that people are selling NAT that I find objectionable, it's the fact that they are marketing them as a general purpose solution - misleading people about their applicability - rather than a stopgap measure. Keith
RE: Netmeeting - NAT issue
Noel Chiappa wrote: ... security alone demands that we be able to move some functionality to a site border router, or some such. Why does security demand an external border? Is that based on the assumption that the host is too stupid to protect itself? If it is based on having an app listening on a port with the intent of local use, but expecting a border device to protect that app from remote use (or abuse), is that the right deployment model? Is the lack of a clear IPv4 way to identify locality at the root of your claim? Tony
Re: Netmeeting - NAT issue
Oh, piffle. NAT's don't harm the Internet, any more than a host of other things: the fact that other things do harm doesn't mean that NATs don't also do harm, or that the harm done by NAT is somehow lessened or excused. and IMHO most of the other things you mentioned do less harm than NATs, though I agree there are a lot of folks out there who are getting away with screwing the net. All of which leads me to a simple conclusion: one big reason that you and any number of other people are upset about NAT's has nothing to do with their technical shortcomings. Rather, what gets people so aggravated is that they are killing off the preferred alternative. The reason I'm upset about NATs is that they make it difficult to build distributed and peer-to-peer apps, and they encourage a model where the net is centrally controlled (not by a single center, but by a relatively small number of providers who control the center). I didn't get seriously interested in IPv6 until I realized that they were the most likely viable solution to the NAT problem. In hindsight I would have done IPv6 somewhat differently. But it's possible to start IPv6, make applications work with it, and maybe fix a few things about v6 along with way as people learn more about its shortcomings. NATs, on the other hand, are completely intractable. e.g. even if you can come up with a better solution to the firewall access problem (and I think that's possible, though we're nowhere close to that now), as long as you have NATs you're still stuck with the problems inherent in a partitioned address space. Keith
Re: Netmeeting - NAT issue
Keith; I think you missed the important point. It's not the NAT vendors, it's the ISPs. I'll grant that ISPs have something to do with it. But there is a shortage of IPv4 addresses, so it's not as if anybody can have as many as they want. Wrong. There actually is no shortage of IPv4 addresses. The primary reason of why NAT is so popular is that NICs do not offer IPv4 addresses promptly, because NICs feared shortage of IPv4 addresses. The wrong policy on IPv4 address assignment made NAT profittable. Masataka Ohta1
Re: Netmeeting - NAT issue
On Tue, 19 Mar 2002 19:01:14 PST, Tony Hain [EMAIL PROTECTED] said: Why does security demand an external border? Is that based on the assumption that the host is too stupid to protect itself? If it is based Yes. The host may be too stupid to protect itself - read Bugtraq or other similar lists for the gory details. In addition, an external border is useful as a checks-and-balances, for the same sort of reasons why the person balancing your company's books shouldn't be the guy writing the checks, or having Customs inspectors at the border crossing - what percent of the people on international flights understand the rules about carrying live biologicals (both animal and vegetable) for any country they may be visiting? -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech msg07933/pgp0.pgp Description: PGP signature
Re: Netmeeting - NAT issue
Microsoft has recently addressed the NAT traversal issue for multimedia scenarios by shipping Messenger in Windows XP and it uses universal plug and play protocols (www.upnp.org) to open holes on upnp capable internet gateways. There are many vendors building upnp capable NATs in 2002. Nice. Not really. It's just midcom, which solves some problems and introduces other. It restores one kind of end-to-end function (addressing) while damaging another (routing transparency). Melinda
RE: Netmeeting - NAT issue
Ahh, it doesn't have to damage routing transparency. If we were to use a signaling protocol that is carefully crafted to preserve routing transparency (e.g. RSVP) then we can avoid this issue. The upnp guys are not really thinking of damaging routing transparency. The protocols explicit probe the first hop router on the network for upnp capabilities. In their model of a home gateway/LAN there is no internal routing, the world is bridged, so the signaling should not damage routing transparency. The limitation they have currently introduced is that they do not fix NATs that run in the network or allow initiation of hole punching at the calle end of the network from the caller side. (RSVP could also solve this problem). If you really want to cry in your green beer about routing transparency then you should be crying about http proxies, tunnels, VPNs, bandwidth brokers, ipsec, yes - midcom, etc. But as one might note, and you get together 3 times a year at incredibly high prices (:-)), you are going to get protocols and standards that put the meat of the solution into middle boxes. Cheers, peterf -Original Message- From: Melinda Shore [mailto:[EMAIL PROTECTED]] Sent: Monday, March 18, 2002 7:14 AM To: Andrew McGregor Cc: [EMAIL PROTECTED] Subject: Re: Netmeeting - NAT issue Microsoft has recently addressed the NAT traversal issue for multimedia scenarios by shipping Messenger in Windows XP and it uses universal plug and play protocols (www.upnp.org) to open holes on upnp capable internet gateways. There are many vendors building upnp capable NATs in 2002. Nice. Not really. It's just midcom, which solves some problems and introduces other. It restores one kind of end-to-end function (addressing) while damaging another (routing transparency). Melinda
RE: Netmeeting - NAT issue
Joe, To a large extent I agree with the goals. And I am not saying NATs are the cats pajamas, but they do existing and you and I yacking about it are not going to make them go away. (by the way, most people buying NATs think they are buying a firewall and often have no clue as how they work). Thus, we need to figure out how to get all the nice E2E properties at the same time living in the world where we have intermediate systems that need to be convinced to let us do so. What I am suggesting is that there needs to be a generic way to ask for that permission, get the request granted, and to operate under that permission. I am proposing negotiated signaling following the data path, not having the permission implicitly granted by simply sending data. At a minimum the end system (application) makes the request, but the architecture should allow proxies to operate on their behalf as well. Adding the constraints of preserving dynamic routing (or routing transparency) is fair. I believe we have seen protocols that can do that. There have been sightings in networks that implement traffic management for connectionless networks. Regards, peterf -Original Message- From: Joe Touch [mailto:[EMAIL PROTECTED]] Sent: Monday, March 18, 2002 8:08 AM To: Peter Ford Cc: Andrew McGregor; Vivek Gupta; [EMAIL PROTECTED] Subject: Re: Netmeeting - NAT issue Peter Ford wrote: If one really believes in end to end architectures, then one probably would want generalized protocols for supporting hosts telling the network what to do wrt opening holes at NATs/Firewalls for inbound traffic. Actually, if one believes in the E2E arch (more specifically, the STD documents), we should admit that: - NATs are _designed_ to make everything behind them look like a single host - they work fine exactly where that's sufficient - they break very badly for EVERY new protocol that coordinates ports or IP addresses in-band, and in any other case where everything behind them does NOT want to work like a single host A generalized protocol for opening holes would fundamentally alter the Internet architecture (as specified in the STD docs) to _require_ path setup, which defeats dynamic routing, and, more specifically, the fundamentally connection-free property of datagram service. Joe
RE: Netmeeting - NAT issue
The protocols explicit probe the first hop router on the network for
upnp capabilities. In their model of a home gateway/LAN there is no
internal routing, the world is bridged, so the signaling should not
damage routing transparency.
But just imposing that model removes transparency. Maybe I have a router
between my wireless and wired Ethernets. That's a reasonable thing to
do--say, if the wired segment is 100Mbps and is carrying high-bandwidth
{broad|multi}cast traffic. Or maybe I have a substantial number of home
appliances with network connections, and I don't trust their software to
be secure, so I put them in a DMZ, like this:
(Internal LAN) -- (Firewall A) -- (DMZ LAN) -- (Firewall B) --
(Outside world)
/===\
|John Stracke|Principal Engineer|
|[EMAIL PROTECTED] |Incentive Systems, Inc. |
|http://www.incentivesystems.com |My opinions are my own. |
|===|
|If God had not given us duct tape, it would have been necessary|
|to invent it. |
\===/
Re: Netmeeting - NAT issue
Ahh, it doesn't have to damage routing transparency. If we were to use a signaling protocol that is carefully crafted to preserve routing transparency (e.g. RSVP) then we can avoid this issue. That's what I'm working on, but midcom and upnp as they're currently defined most certainly do have routing-related problems. The upnp guys are not really thinking of damaging routing transparency. Of course they weren't. But the assumptions that the network is single-homed and that there's only one NAT in the path and that there are no firewall interactions are inherently non- general, and any assumption that they fix the problem is necessarily incorrect. Seeing this stuff touted as a general- purpose fix makes me very uncomfortable. Melinda
RE: Netmeeting - NAT issue
Melinda, I actually agree with most of what you say in the absolute. I will note that the one thing going for the home network NAT guys is that they have focused on making things work to the extent that they even have George Hamilton selling NATs at the poolside on TV commercials for Circuit City. They may not take routing transparency seriously enough, but they seem to have a real market for their products. The leading NAT gets the follow review on amazon.com: Average Customer Review: 4 stars out of 5 Based on 682 reviews! To that extent, they may have found the right engineering and usability trade-offs for the home LAN scenario and perhaps even the common soho solution. I did not see a single comment in the amazon reviews citing routing issues. I think we can agree that a single protocol for traversal that works for all topologies would be ideal. cheers, peterf -Original Message- From: Melinda Shore [mailto:[EMAIL PROTECTED]] Sent: Monday, March 18, 2002 2:18 PM To: Peter Ford Cc: [EMAIL PROTECTED] Subject: Re: Netmeeting - NAT issue Ahh, it doesn't have to damage routing transparency. If we were to use a signaling protocol that is carefully crafted to preserve routing transparency (e.g. RSVP) then we can avoid this issue. That's what I'm working on, but midcom and upnp as they're currently defined most certainly do have routing-related problems. The upnp guys are not really thinking of damaging routing transparency. Of course they weren't. But the assumptions that the network is single-homed and that there's only one NAT in the path and that there are no firewall interactions are inherently non- general, and any assumption that they fix the problem is necessarily incorrect. Seeing this stuff touted as a general- purpose fix makes me very uncomfortable. Melinda
RE: Netmeeting - NAT issue
I would love to see the complete solution to signaling all the potential blocking intermediate hops in the network that specific traffic should pass. Regards, peter
Re: Netmeeting - NAT issue
Or, get a NAT which *does* connection-track H.323. They do exist, open-source and not, and work just fine. Better, get a proper H.323 gateway (which will work behind an H.323 aware NAT if done properly) so people can call in as well as out. However, NAT is still brokenness. (and so is H.323) Andrew --On Tuesday, March 12, 2002 15:17:35 -0800 Joe Touch [EMAIL PROTECTED] wrote: NAT doesn't support Netmeeting. It uses H.323 encoding, which uses IP addresses and dynamically assigned ports in-band (inside the connection). The NAT is translating the outer IP addresses, but because your NAT doesn't understand H.323, it doesn't know it would have to also translate the inner addresses and ports. Netmeeting expects that it can dynamically select a port to use to connect back to your machine, but that defeats what a NAT thinks the Internet looks like (notably because it's incorrect). The best solution: get real IP addresses. It's cheaper than wasting your time figuring out why things don't work. Joe
RE: Netmeeting - NAT issue
If one really believes in end to end architectures, then one probably would want generalized protocols for supporting hosts telling the network what to do wrt opening holes at NATs/Firewalls for inbound traffic. Doing this form of traversal mapping on a protocol by protocol basis (e.g. H.323 gateway, SIP proxies, etc.) does create an interesting market niche for the firewall vendors, but it is not clear this is the right model for the long term. Microsoft has recently addressed the NAT traversal issue for multimedia scenarios by shipping Messenger in Windows XP and it uses universal plug and play protocols (www.upnp.org) to open holes on upnp capable internet gateways. There are many vendors building upnp capable NATs in 2002. Even if the *AT* in NATs go away, the reason people buy them won't. There needs to be a way for applications and firewalls to coordinate - perhaps in the same way that highway designers and car designers usually agree on the basic design parameters of on/off ramps. Regards, peter -Original Message- From: Andrew McGregor [mailto:[EMAIL PROTECTED]] Sent: Sunday, March 17, 2002 5:34 PM To: Joe Touch; Vivek Gupta Cc: [EMAIL PROTECTED] Subject: Re: Netmeeting - NAT issue Or, get a NAT which *does* connection-track H.323. They do exist, open-source and not, and work just fine. Better, get a proper H.323 gateway (which will work behind an H.323 aware NAT if done properly) so people can call in as well as out. However, NAT is still brokenness. (and so is H.323) Andrew --On Tuesday, March 12, 2002 15:17:35 -0800 Joe Touch [EMAIL PROTECTED] wrote: NAT doesn't support Netmeeting. It uses H.323 encoding, which uses IP addresses and dynamically assigned ports in-band (inside the connection). The NAT is translating the outer IP addresses, but because your NAT doesn't understand H.323, it doesn't know it would have to also translate the inner addresses and ports. Netmeeting expects that it can dynamically select a port to use to connect back to your machine, but that defeats what a NAT thinks the Internet looks like (notably because it's incorrect). The best solution: get real IP addresses. It's cheaper than wasting your time figuring out why things don't work. Joe
RE: Netmeeting - NAT issue
--On Sunday, March 17, 2002 18:51:48 -0800 Peter Ford [EMAIL PROTECTED] wrote: If one really believes in end to end architectures, then one probably would want generalized protocols for supporting hosts telling the network what to do wrt opening holes at NATs/Firewalls for inbound traffic. Doing this form of traversal mapping on a protocol by protocol basis (e.g. H.323 gateway, SIP proxies, etc.) does create an interesting market niche for the firewall vendors, but it is not clear this is the right model for the long term. I don't think it is; my suggestion below was merely practical. Microsoft has recently addressed the NAT traversal issue for multimedia scenarios by shipping Messenger in Windows XP and it uses universal plug and play protocols (www.upnp.org) to open holes on upnp capable internet gateways. There are many vendors building upnp capable NATs in 2002. Nice. Even if the *AT* in NATs go away, the reason people buy them won't. There needs to be a way for applications and firewalls to coordinate - perhaps in the same way that highway designers and car designers usually agree on the basic design parameters of on/off ramps. I agree; it's going to be hard to secure, but I guess that's what makes it interesting. Regards, peter -Original Message- From: Andrew McGregor [mailto:[EMAIL PROTECTED]] Sent: Sunday, March 17, 2002 5:34 PM To: Joe Touch; Vivek Gupta Cc: [EMAIL PROTECTED] Subject: Re: Netmeeting - NAT issue Or, get a NAT which *does* connection-track H.323. They do exist, open-source and not, and work just fine. Better, get a proper H.323 gateway (which will work behind an H.323 aware NAT if done properly) so people can call in as well as out. However, NAT is still brokenness. (and so is H.323) Andrew --On Tuesday, March 12, 2002 15:17:35 -0800 Joe Touch [EMAIL PROTECTED] wrote: NAT doesn't support Netmeeting. It uses H.323 encoding, which uses IP addresses and dynamically assigned ports in-band (inside the connection). The NAT is translating the outer IP addresses, but because your NAT doesn't understand H.323, it doesn't know it would have to also translate the inner addresses and ports. Netmeeting expects that it can dynamically select a port to use to connect back to your machine, but that defeats what a NAT thinks the Internet looks like (notably because it's incorrect). The best solution: get real IP addresses. It's cheaper than wasting your time figuring out why things don't work. Joe
Netmeeting - NAT issue
Hi I have been bugging U guys a lot for long now . especially Hari OK here is another question quite similar to previous one: Net meeting by Microsoft is not suppoted by NAT . this is the major problem --this is a problem with NAT or with NET meeting.?? I think I should rephrase my query ...wait --Is it that the net meeting doesn't support NAT or the NAT doesn't support netmeeting.?? I know that Net Meeting doesn't work with NAT . but where exactly is the problem ...with NAT or with netmeeting attached is my network set up thanx Vivek NAT.doc Description: MS-Word document
Re: Netmeeting - NAT issue
Net meeting by Microsoft is not suppoted by NAT . this is the major problem you may not have noticed that o there is no ietf standards track document for net meeting o there is no ietf standards track document for nat hence no one here is surprised. caveat emptor. we design and build the information superhighway. we can not repair you car. randy
Re: Netmeeting - NAT issue
Net meeting by Microsoft is not suppoted by NAT . this is the major problem NATs violate many of the assumptions of the Internet Protocol. It's unrealistic to expect many kinds of IP applications to work in the presence of NATs, unless they were specifically designed to do so. And while it might seem desirable to make all applications NAT-tolerant, NAT-tolerant design often imposes significant barriers to the performance and scalability of applications, and (due to the need for intermediaries to tunnel through NATs) to deployment of such applications. Keith
Re: Netmeeting - NAT issue
Hi Vivek: I am behind a firewall, as Help-desk Mgr. we had to find some answers for our customers regarding the issues you ask. I am SURE the problem is with netmeeting and other MS comunications softwatre. Try the following links: http://messenger.msn.com/support/knownissues.asp http://r450.voice.microsoft.com/netinfo.asp?NAT=yesPLCID=0c0aVersion=4.5CLCID=080aBrandID=MSMSGScountry=MX http://messenger.microsoft.com/ES/support/helphome.asp?client=1#Q3b the problem is with Netmeeting, not with NAT. Saludos.Regards.José Manuel Arronte GarcíaSupervisor de Soporte Técnico Helpdesk Meg@Red VeracruzOperadora MegaCable S. A. de C. V.Av. S. Díaz Mirón 2625-AFracc. Moderno 91916Veracruz Ver. MÉXICO +52 (229) 923-0400, 923-0410 ext. 5http://www.megacable.com.mx/http://www.megared.net.mx/ "Who's the more foolish, the fool, or the fool who follows him?".--O. W. Kenobi (in Star Wars ep.IV: A New Hope) - Original Message - From: Vivek Gupta To: [EMAIL PROTECTED] Sent: Tuesday, March 12, 2002 3:48 PM Subject: Netmeeting - NAT issue Hi I have been bugging U guys a lot for long now . especially Hari OK here is another question quite similar to previous one: Net meeting by Microsoft is not suppoted by NAT . this is the major problem --this is a problem with NAT or with NET meeting.?? I think I should rephrase my query ...wait --Is it that the net meeting doesn't support NAT or the NAT doesn't support netmeeting.?? I know that Net Meeting doesn't work with NAT . but where exactly is the problem ...with NAT or with netmeeting attached is my network set up thanx Vivek
