Aren't Microsoft already standardizing this with their Universal Plug and
Play (UPnP) architecture?
That's just midcom, which the IETF is standardizing. We
started before they did but Microsoft got there first and
worst (there's even midcom language in their documents). So
that's
From: Keith Moore [EMAIL PROTECTED]
the reason I point out the flaws with NAT is .. because some people
are still of the belief that NATs are mostly harmless and that we
should not only permit them into v6, but extend our architecture to
embrace them.
Keith, that's
From: Keith Moore [EMAIL PROTECTED]
That means that i) NAT+v4 is here to stay, permanently, as the
packet-forwarding substrate on which we have to live, and ii) many
solutions to the NAT problem have a badly faulty key premise -
which is that the solution will fix IPv4's
From: Michael Thomas [EMAIL PROTECTED]
we're being driven as a community to do both with the ensuing insanity
of two broken models being forced to cohabitate, all the while neither
meeting the actual requirements.
Time to hit the reset button on our current direction, I would
Keith Moore wrote:
Which is why I've done some work to try to make the barrier to
adopting IPv6 on an existing IPv4 network as low as possible.
What you don't realize is that the only thing that you have left to do
is to get 6to4 implemented in NAT boxes. If every Linksys had 6to4 code
and was
Aren't Microsoft already standardizing this with their Universal Plug and
Play (UPnP) architecture?
That's just midcom, which the IETF is standardizing. We
started before they did but Microsoft got there first and
worst (there's even midcom language in their documents). So
that's something
On donderdag, jun 19, 2003, at 23:42 Europe/Amsterdam, Eric Rescorla
wrote:
Realistically, there are three kinds of utility
effects of someone choosing to install a NAT:
(1) The effect on them personally.
(2) The effect on other people who might potentially correspond
with them (a rather
It would be interesting to see how much of the IETF's resources are
used up by NAT issues.
Probably not as much as needed, actually.
Be that as it may, let's do some arithmetic: I would guess
that the really huge equipment vendors probably have about
50 FTEs each working on NAT workarounds
transition (was US Defense Department
forma lly adopts IPv6)
until recently the only way I could get even one
static IP address for my home was through a special deal with a
friend of mine who had a small ISP, and the best bandwidth I could
get was 128kbps. none of the other local providers
From: Eric Rescorla [EMAIL PROTECTED]
(2) NAT solves at least some of those problems, at some
cost (say Cn), both financial and operational and
that solution has benefit Bn.
(3) The fact that a large number of people have chosen
to use NAT is a strong
On Fri, 20 Jun 2003 13:47:35 +0530, manojd [EMAIL PROTECTED] said:
Since the issue is stable end-points, could something like this be a patch
for v4 NATs?
No.
c) Externally visible port number used by an application on some device is
composed of its stable 8-bit number known to NAT, plus
From: Keith Moore [EMAIL PROTECTED]
...
the reason I point out the flaws with NAT is not that I think we can get
rid of them in v4. it's because some people are still of the belief that
NATs are mostly harmless and that we should not only permit them
into v6, but extend our architecture to
* do it. In the meantime, I wear a hat.
*
* -Ekr
*
Perhaps that was Keith's point... a hat as a cure for baldness is
akin to a NAT box as a cure for end system insecurity.
Bob Braden
On Friday, June 20, 2003, at 07:48 AM, J. Noel Chiappa wrote:
That group has no reason to deploy any new technology - what they have
already works fine for them. So if there is a very large population of
N-U,
especially if they are a big enough group to be a majority of the
Internet
user base,
[EMAIL PROTECTED] writes:
On Wed, 18 Jun 2003 21:30:35 PDT, Eric Rescorla said:
This seems to me like a false dichotomy. If I were deploying a NAT
(which I didn't) there would be certain things I would care about
and others I didn't. If I'm already firewalling off these services,
why
Valdis Kletnieks wrote:
The point I was making is that if an NNTP connection fails because
the firewall is *configured* to say 'None Shall Pass' (insert Monty
Python .wav here ;) then that is *proper* behavior. If a VOIP
connection fails because the NAT is saying 'None Shall Pass', then
On Wed, 18 Jun 2003 22:19:12 PDT, Eric Rescorla said:
You've got it absolutely backwards. The fact that the NAT breaks applications
that I don't want to run anyway is a FEATURE, not a bug.
And the fact that NAT breaks things that you DO want to run is a ?
And unfortunately, a lot of the
Valdis,
Valdis Kletnieks wrote:
And unfortunately, a lot of the Just Does Not Work stuff are
applications like H.323 and VOIP that Joe Sixpack actually
*might* be interested in.
Unfortunately, there is no single reason [protocol or app xyz] does not
work over NAT. When [protocol or app xyz]
Eric,
With due respects, there is a flaw in your thinking. Many ISPs give users NATed
adresses, without users really knowing or understanding what they are. When the users
try applications or serves which fail because of the non-transparency, the users may
not know the cause of the failures.
James Seng [EMAIL PROTECTED] writes:
Why should the users be limited to what IT managers decide is good or bad?
Internet is build on dumb network, smart terminal. End-users are
suppose to be able to put up their own services, not just running some
apps. This has been the Internet principles
John Loughney [EMAIL PROTECTED] writes:
With due respects, there is a flaw in your thinking. Many ISPs give
users NATed adresses, without users really knowing or understanding
what they are. When the users try applications or serves which fail
because of the non-transparency, the users may
On Thu, Jun 19, 2003 at 07:49:14AM -0400, J. Noel Chiappa wrote:
My take is that NAT's respond to several flaws in the IPv4 architecture:
- 1) Not enough addresses - this being the one that brought them into
existence.
- 1a) Local allocation of addresses - a variant of the preceeding
[EMAIL PROTECTED] writes:
On Wed, 18 Jun 2003 22:19:12 PDT, Eric Rescorla said:
You've got it absolutely backwards. The fact that the NAT breaks applications
that I don't want to run anyway is a FEATURE, not a bug.
And the fact that NAT breaks things that you DO want to run is a ?
I'm
Keith Moore [EMAIL PROTECTED] writes:
Sadly, the IETF seems to find ways to generate immense amounts of heat over
NAT, while sticking its collective head in the sand with regards to
activity in the marketplace.
the NAT vendors are the irresponsible ones. they create a mess out of the
Keith Moore [EMAIL PROTECTED] writes:
If the customers are getting what they want, that seems to me that it
can hardly be characterized as a mess. And you have yet to establish
that they're not getting what they want.
certainly the users I deal with are not getting what they want.
Title: Re: myth of the great transition (was US Defense Department forma lly adopts IPv6)
Noel,
You are getting too cerebral. We can
look at the marketing info on the box of a NAT product to see what people think
they are getting:
1) Instant Internet Sharing for cable and
DSL
2
This is more hyperbole. How have NATs created a mess out of the network?
Yes, I understand that they've made the network environment more
complicated which makes life hard on protocols designers. So what?
If the customers are getting what they want, that seems to me that it
can hardly be
topic.
-Original Message-
From: James Seng [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 18, 2003 10:38 PM
To: Fleischman, Eric
Cc: EKR; Keith Moore; [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: myth of the great transition (was US Defense
J. Noel Chiappa wrote:
From: Keith Moore [EMAIL PROTECTED]
The reason that we are explaining (once again) why NAT sucks is that
some people in this community are still in denial about that
The person who's most in denial around here is you - about how definitively
the
Eric Rescorla writes:
What applications that people want to run--and the IT managers would
want to enable--are actually inhibited by NAT? It seems to me that
most of the applications inconvenienced by NAT are ones that IT
managers would want to screen off anyway.
Uh, have you paid no
At 02:45 AM 6/19/2003 +, Paul Vixie wrote:
Which BTW come July 1 becomes illegal in the US with the implementation of
the Federal Trade Commission Do Not Call list.
which country's federal do you mean?
http://www.ftc.gov/bcp/conline/edcams/donotcall/index.html
oh, that one. i guess that
Remember Paul ..the issue in most of these laws is to go after the
company offering the products, porn, whatever _via_ spam.
and when they are syn-scanning me from outside the us i can tell who
their client is how?
and when the robot calls back asking me to hold on the line for a human
The person who's most in denial around here is you - about how
definitively
the market has, for the moment, chosen IPv4+NAT as the best balance
between
cost and effectiveness.
Get a grip. We all know you don't like NAT. You don't need to reply
to
*every* *single* *message* *about*
Keith Moore [EMAIL PROTECTED] writes:
certainly the users I deal with are not getting what they want.
others seem to be reporting similar experiences.
Then why don't they switch providers.
variety of reasons: often the provider is not the problem, it's the local
network admins, and
Michael Thomas [EMAIL PROTECTED] writes:
Eric Rescorla writes:
What applications that people want to run--and the IT managers would
want to enable--are actually inhibited by NAT? It seems to me that
most of the applications inconvenienced by NAT are ones that IT
managers would want
Melinda Shore [EMAIL PROTECTED] writes:
As I said before, the workarounds that are being
used to help facilitate application traversal of NATs are
definitely introducing new security problems that wouldn't
exist if the NAT weren't there. There are other problems
around robustness and routing.
Eric Rescorla writes:
Michael Thomas [EMAIL PROTECTED] writes:
Eric Rescorla writes:
What applications that people want to run--and the IT managers would
want to enable--are actually inhibited by NAT? It seems to me that
most of the applications inconvenienced by NAT are
On donderdag, jun 19, 2003, at 13:49 Europe/Amsterdam, J. Noel Chiappa
wrote:
Maybe NATs are, in fact, a result
of a very deep problem with our architecture.
My take is that NAT's respond to several flaws in the IPv4
architecture:
- 1) Not enough addresses - this being the one that brought
Exactly. A NAPT (not a NA(!P)T ..) is in fact a perfectly good
firewall* for the home user. So all this argumentation that a NAPT is
not a firewall is bunk.
* where firewall = a device that protect my internal net from external
threats
simon
On Thursday, June 19, 2003, at 03:46 AM,
Keith, I don't get this argument. A NAPT is a firewall by your own
definition I believe the primary purpose of firewalls should be to
protect the network, not the hosts, from abusive or unauthorized
usage. It's implementing a very simple policy, protect me from the
outside world.
simon
On
Keith Moore [EMAIL PROTECTED] writes:
until recently the only way I could get even one
static IP address for my home was through a special deal with a
friend of mine who had a small ISP, and the best bandwidth I could
get was 128kbps. none of the other local providers would sell me
Michael Thomas [EMAIL PROTECTED] writes:
Eric Rescorla writes:
Michael Thomas [EMAIL PROTECTED] writes:
Eric Rescorla writes:
What applications that people want to run--and the IT managers would
want to enable--are actually inhibited by NAT? It seems to me that
most
*
* So, on the one hand, we have the actual behavior of millions of people.
* On the other hand we have Keith Moore's opinion about what they ought
* to prefer. I don't have any trouble figuring out which one I believe.
*
* -Ekr
*
Erik,
Errr, let's see if I understand your
Keith Moore [EMAIL PROTECTED] writes:
Yeah, that there's a subset who cares. They got it. The market is
working.
the market is dysfunctional. it doesn't always fail to deliver what is
needed, but it often does.
That's your claim. I don't buy it.
Apparently not, or they wold switch.
Bob Braden [EMAIL PROTECTED] writes:
*
* So, on the one hand, we have the actual behavior of millions of people.
* On the other hand we have Keith Moore's opinion about what they ought
* to prefer. I don't have any trouble figuring out which one I believe.
*
* -Ekr
*
On Thursday, June 19, 2003, at 01:54 PM, Keith Moore wrote:
Keith, I don't get this argument. A NAPT is a firewall by your own
definition I believe the primary purpose of firewalls should be to
protect the network, not the hosts, from abusive or unauthorized
usage.
only if the policy that the
Keith Moore [EMAIL PROTECTED] writes:
they would switch if they had alternatives available. but people
like you keep claiming that alternatives aren't needed because the
market has spoken.
Nonsense. I'd love to see an alternative. Obviously, NATS have costs
and a solution that
On Thu, Jun 19, 2003 at 11:10:03AM -0700, Eric Rescorla wrote:
Users aren't physically handcuffed to their Internet connections.
They have choices as to who to purchase connectivity from. Those
users, if they chose, could purchase connectivity with static IP
addresses and no NAT. They by and
Eric Rescorla writes:
P.S. And btw, I'm not advocating NAT. What I'm advocating is that
we stop behaving as if we think that anyone who uses NAT is obviously
an idiot.
I don't think that I've seen anybody say that.
Most people who use NAT have no clue one way or
the other about NAT any more
I'm not sure what you mean by routing above. Are you suggesting there's
some negative externality in that NAT makes the routing infrastructure
more complicated? If so, what is it?
If you're multihomed and your route changes, your address
changes. (Yes, this happens).
I am profoundly weirded
Keith, I don't get this argument. A NAPT is a firewall by your own
definition I believe the primary purpose of firewalls should be to
protect the network, not the hosts, from abusive or unauthorized
usage. It's implementing a very simple policy, protect me from the
outside world.
NAT has
I said I was done with this discussion, but I think Melinda
deserves a response here.
Melinda Shore [EMAIL PROTECTED] writes:
I'm not sure what you mean by routing above. Are you suggesting there's
some negative externality in that NAT makes the routing infrastructure
more complicated? If
Does this seem like a weird position for an IAB member to take?
I don't think so.
I think economics provides useful tools for talking about
and evaluating this stuff, too, but I think it's pretty
evident that you can optimize for anything you like and get
different results. I question whether
Melinda Shore [EMAIL PROTECTED] writes:
Does this seem like a weird position for an IAB member to take?
I don't think so.
I think economics provides useful tools for talking about
and evaluating this stuff, too, but I think it's pretty
evident that you can optimize for anything you like
Keith Moore [EMAIL PROTECTED] writes:
(1) There are some set of problems that users have or
believe they have.
(2) NAT solves at least some of those problems, at some
cost (say Cn), both financial and operational and
that solution has benefit Bn.
(3) The fact that a
Eric,
Eric Rescorla wrote:
The fact that a large number of people have chosen
to use NAT is a strong argument that BC. (Here's
where the invocation of revealed preference comes in).
This is not the point. What you are saying is that since BC it makes
NAT OK. What I am saying (and possibly
Keith,
Michel Py wrote:
IMHO, here is the deal: IPv4 NAT does suck, but there is
nothing we can do to remove it; so the only worthy
efforts are 1) maybe try to make it less worse (I will
not go as far as saying better) and 2) let's not make
the same mistake with IPv6.
Keith Moore wrote:
Ted,
Theodore Ts'o wrote:
So 30 static IP addresses, with a slower service, is over
*five* times more expensive, and over twice as expensive
as faster service with only 2 static IP addresses.
As much as I hate NAT, from an aesthetic perspective,
using two static IP addresses and a NAT box
Eric Rescorla writes:
I said I was done with this discussion, but I think Melinda
deserves a response here.
Melinda Shore [EMAIL PROTECTED] writes:
I'm not sure what you mean by routing above. Are you suggesting there's
some negative externality in that NAT makes the routing
Thus spake James Seng [EMAIL PROTECTED]
The question: smart terminal or smart network?
I believe in smart terminal. Nothing there suggest you should not run
your firewall or any other filtering software on your end-terminal.
End-machine are vulnerable? Then fixed the end-machine. It isnt
Michael Thomas [EMAIL PROTECTED] writes:
So just saying that NAT is here get used to it is,
architecturally, not helpful. The split of effort
is to put it mildly a huge drain on engineering
talent, but more importantly the net is becoming
more and more incomprehensible because of it, both
On Thu, 19 Jun 2003 07:27:03 EDT, J. Noel Chiappa said:
The person who's most in denial around here is you - about how definitively
the market has, for the moment, chosen IPv4+NAT as the best balance between
cost and effectiveness.
Actually Noel, I think what he's in denial about is the fact
On woensdag, jun 18, 2003, at 04:33 Europe/Amsterdam, Hallam-Baker,
Phillip wrote:
I really wish that the IETF had designed a decent NAT box spec rather
than adopting the ostrich position.
http://www.ietf.org/html.charters/nat-charter.html
:47:42 2003
To: Hallam-Baker, Phillip
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject:Re: myth of the great transition (was US Defense Department
forma lly adopts IPv6)
I really wish that the IETF
had designed a decent NAT
The difference between denial of service and policy enforcement
is primarily a question of authorization. Since the people who
install NAT generally own the networks in question, characterizing
NAT as a DoS attack doesn't really seem right.
Well, yeah, but ... NAT is far too crude in its
Keith Moore [EMAIL PROTECTED] writes:
similarly, people who install NAT usually don't realize how much this
costs them in lost functionality and reliability.
Really? You have evidence of this?
the evidence I have is from reading vendor advertisements for NAT boxes,
and from talking to
On Wednesday, June 18, 2003, at 12:59 PM, Hallam-Baker, Phillip wrote:
Not at all.
If you want to address denial of service issues you need protocol
enforcement points.
This sounds like you are equating a NAT box with a firewall, which
seems to be common.
I would like to know:
- Is a NAT box
NAT is a denial of service attack, not a means of policy enforcement.
I wonder if NAT is to ietf discussions as Nazis was
to Usenet discussions.
That is, will every heated IETF debate eventually lead to
invoking the NAT bogyman?
And if that where to be true, would the corollary apply
that the
Eric Rescorla writes:
Keith Moore [EMAIL PROTECTED] writes:
similarly, people who install NAT usually don't realize how much this
costs them in lost functionality and reliability.
Really? You have evidence of this?
I don't either, but my intuition is that you're wrong. Once you
Keith Moore [EMAIL PROTECTED] writes:
the evidence I have is from reading vendor advertisements for NAT
boxes, and from talking to people who run networks that use NAT.
it's not a random sample, perhaps not a statistically significant
one, but it's been enough to convince me
What applications that people want to run--and the IT managers would
want to enable--are actually inhibited by NAT? It seems to me that
most of the applications inconvenienced by NAT are ones that IT
managers would want to screen off anyway.
Not really. For example, ftp as originally defined
On woensdag, jun 18, 2003, at 21:17 Europe/Amsterdam, Bob Braden wrote:
Since 1980 we have believed that universal connectivity was one of the
great achievements of the Internet design. Today, one must
unfortunately question whether universal connectivity can be sustained
(or is even the right
From: Keith Moore [EMAIL PROTECTED]
that's an oxymoron. the basic premis of NAT is fundamnetally broken.
Just out of interest, do you complain about gravity too?
We lost our chance to avoid NAT's when variable length addresses were removed
from TCPv2.5 (IIRC the version number
PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject:RE: myth of the great transition (was US Defense Department
forma lly adopts IPv6)
NAT is a denial of service attack, not a means of policy enforcement.
I wonder if NAT is to ietf discussions as Nazis was
to Usenet discussions
The IAB has talked about NAT. A WG has produced a bunch of
RFCs about NAT. NAT is very widely deployed and comes in
10 different flavors. NAT has a bunch of architectural
ugliness and technical problems. So?
How about some lemonade? An Internet draft that says
something new about NATs
Eric Rescorla [mailto:[EMAIL PROTECTED] wrote:
similarly, people who install NAT usually don't realize how much this
costs them in lost functionality and reliability.
Really? You have evidence of this?
I don't either, but my intuition is that you're wrong. Once you have
decided to have a
Iljitsch van Beijnum writes:
On woensdag, jun 18, 2003, at 21:17 Europe/Amsterdam, Bob Braden wrote:
Since 1980 we have believed that universal connectivity was one of the
great achievements of the Internet design. Today, one must
unfortunately question whether universal
Keith Moore [EMAIL PROTECTED] writes:
I don't know enough about how you're doing your distributing computing
to have an opinion, but as for the other two... In my experience,
IT managers are pretty unhappy punching holes in their firewalls
for incoming SIP and IPsec, whether they run NAT
Melinda Shore [EMAIL PROTECTED] writes:
What applications that people want to run--and the IT managers would
want to enable--are actually inhibited by NAT? It seems to me that
most of the applications inconvenienced by NAT are ones that IT
managers would want to screen off anyway.
Not
Keith Moore [EMAIL PROTECTED] writes:
In my experience, IT managers are generally pretty unhappy changing
anything to support their users. People who actually use the
computers or the network are regarded as a nuisance.
Exactly. So, why do you it's NATs that are the cause of users
[EMAIL PROTECTED] (Michael Thomas) writes:
Voice challenges this assumption to a very large
degree. In fact, I not only want access to 99.99%
of the other nodes on the net willing to speak RTP ...
actually i think you probably don't, or rather, won't.
telemarketing by robot is illegal in
At 12:07 AM 6/19/2003 +, Paul Vixie wrote:
[EMAIL PROTECTED] (Michael Thomas) writes:
Voice challenges this assumption to a very large
degree. In fact, I not only want access to 99.99%
of the other nodes on the net willing to speak RTP ...
actually i think you probably don't, or rather,
Which BTW come July 1 becomes illegal in the US with the implementation of
the Federal Trade Commission Do Not Call list.
which country's federal do you mean?
http://www.ftc.gov/bcp/conline/edcams/donotcall/index.html
oh, that one. i guess that means the function will have to move offshore.
On Wed, 18 Jun 2003 16:06:08 PDT, Eric Rescorla said:
Melinda Shore [EMAIL PROTECTED] writes:
Not really. For example, ftp as originally defined doesn't
work through NATs, and no standard VoIP or multimedia
conferencing protocol works through NAT.
None of these things worked real well
[EMAIL PROTECTED] writes:
On Wed, 18 Jun 2003 16:06:08 PDT, Eric Rescorla said:
Melinda Shore [EMAIL PROTECTED] writes:
Not really. For example, ftp as originally defined doesn't
work through NATs, and no standard VoIP or multimedia
conferencing protocol works through NAT.
None
On Wed, 18 Jun 2003 21:30:35 PDT, Eric Rescorla said:
This seems to me like a false dichotomy. If I were deploying a NAT
(which I didn't) there would be certain things I would care about
and others I didn't. If I'm already firewalling off these services,
why should I care if NAT blocks them?
On Wed, 18 Jun 2003 21:55:34 PDT, Michel Py said:
I'm sorry but it is nothing near being that simple. Although if it does
not work through a firewall, it MAYBE because the firewall does block a
class of traffic (more likely because someone forgot to punch the right
hole), there are _plenty_
On Tuesday, June 17, 2003, at 11:51 AM, Hallam-Baker, Phillip wrote:
The key in my view is to work on the NAT vendors, instead of viewing
NAT
boxes as an obstacle they should be seen for what they really are, an
essential and important part of the internet infrastructure.
you obviously don't
On Tuesday, June 17, 2003, at 11:51 AM, Hallam-Baker, Phillip wrote:
The key in my view is to work on the NAT vendors, instead
of viewing
NAT
boxes as an obstacle they should be seen for what they
really are, an
essential and important part of the internet infrastructure.
you
On Tue, 17 Jun 2003 19:33:24 PDT, Hallam-Baker, Phillip said:
No, because I design and use applications I really wish that the IETF
had designed a decent NAT box spec rather than adopting the ostrich
position.
If my un-NAT'ed box does a LISTEN on some TCP port, that generates no
outbound
90 matches
Mail list logo
