Re: Why people by NATs
On 1-dec-04, at 1:06, Stephen Sprunk wrote: With v6 we have the ability to fix this; through some magic function, users should be able to get a PA (at a minimum) subnet behind their local router/modem/whatever and have a decent interface to configure inbound filters, similar to how they can configure evil NAT port-forwarding today. So what's the use of a firewall when the boxes behind it get to configure it? If these boxes know what they should and shouldn't accept from the evil internet in the first place, isn't it much easier to accept/reject packets as per this knowledge? A default filter that rejects packets for services that are generally intended for local use only would probably be good enough for a residential IPv6 router. Other services are either not enabled and/or firewalled in the host anyway, or the user actually wants them to work. Default filters are a pain, because inevitably they end up blocking something that's useless today but a critical need tomorrow... For instance, my @#%#^ Linksys not only doesn't understand native IPv6 (hello, wake up Cisco!) but it even blocks IP-in-IP packets so I can't use an IPv6 tunnel. Please reread. I said services that are generally intended for local use. Unknown services can't be presumed to be intended for local use and are thus not filtered by such a policy. Ideally, I wouldn't want to filter anything, but systems like Windows come with all kinds of services enabled that you really don't want to expose to the whole world, but at the same time you want (some of) these services to be available for local use. At a minimum, vendors should document _everything_ the default filter does and allow the user to disable it if necessary. Of course. The funny thing is that NAT can generally not be disabled by the user. :-) :-( Note that a default stateful filter is much more harmful than filtering out some obvious stuff such as SMB as you need to make specific exceptions or use strange tricks in the application to allow incoming sessions, for ALL protocols that use those. ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
Re: Why people by NATs
As the maintainer of the Linksys Blue Box Router HOWTO, I am quite well aware of this fact. And if my objective were to have exciting adventures in system and network administration, I would have reflashed my Linksys long since. I don't want to have exciting adventures in system and network administration. I want my home network to just freaking *work* so I can concentrate on the problems where my time is most valuable. Hmmm ... I'm quite happy with the stability of my sveasoft code and find that staying up with their latest releases is pretty trivial and keeps my box humming just fine. What I found exciting about being able to reflash my linksys is that I could have a real router (sort of), *not* have to be an expert, and it *works*! No more difficult than clicking on the software update button periodically. Just one user's experience ... your horror stories may vary. Regards, Carl ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
Re: Why people by NATs
Thus spake Iljitsch van Beijnum [EMAIL PROTECTED] Actually in IPv6 you are well-protected against random scanning withough the need for any device in the middle: a /64 subnet is so large, that scanning it is completely infeasible. Now of course someone who knows your address doesn't have to scan, so this protection isn't complete. But for TCP it's entirely trivial to only allow sessions to be set up in one direction. Full stateful firewalling is of course also possible. However, both these options bring back some of the downsides of NAT: in order to make incoming sessions possible, there must be configuration of some sort. IMHO a firewall function, probably stateful, is necessary in nearly all cases. However, this has gotten so mixed up with NAT that many people (even at vendors) don't realize they're different things. With v6 we have the ability to fix this; through some magic function, users should be able to get a PA (at a minimum) subnet behind their local router/modem/whatever and have a decent interface to configure inbound filters, similar to how they can configure evil NAT port-forwarding today. A default filter that rejects packets for services that are generally intended for local use only would probably be good enough for a residential IPv6 router. Other services are either not enabled and/or firewalled in the host anyway, or the user actually wants them to work. (It would be incredible helpful to have all these local-use services in a fixed range of port numbers for easy filtering...) Default filters are a pain, because inevitably they end up blocking something that's useless today but a critical need tomorrow... For instance, my @#%#^ Linksys not only doesn't understand native IPv6 (hello, wake up Cisco!) but it even blocks IP-in-IP packets so I can't use an IPv6 tunnel. At a minimum, vendors should document _everything_ the default filter does and allow the user to disable it if necessary. You don't need to load the gun for them, but if someone wants to shoot themselves in the foot, it's not your duty to prevent them, because they might have a perfectly good reason to. S Stephen Sprunk God does not play dice. --Albert Einstein CCIE #3723 God is an inveterate gambler, and He throws the K5SSSdice at every possible opportunity. --Stephen Hawking ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
Re: Why people by NATs
Thus spake Tim Chown [EMAIL PROTECTED] I didn't say that your mother could do this, but given that some amateurs have already modified the Linksys to do v6 then it would not be difficult for Cisco/Linksys to do so in a short timeframe, if they chose to. The interesting question is why Cisco/Linksys has not done so yet. IMHO, this is the single biggest _logistical_ barrier to IPv6 deployment. As for NAT, then v4+NAT dual-stack IPv6 will be very common. I'd be perfectly happy to run IPv6 on my home network, and let my Linksys do 6-to-4 NAT, real 6to4, IPv6 tunnels, etc. as appropriate. Of course, if my monopoly broadband provider were to wake up and offer native IPv6, I'd want real IPv6 connectivity... S Stephen Sprunk God does not play dice. --Albert Einstein CCIE #3723 God is an inveterate gambler, and He throws the K5SSSdice at every possible opportunity. --Stephen Hawking ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
Re: Why people by NATs
On Mon, 2004-11-29 at 01:38 -0500, Eric S. Raymond wrote: Kai Henningsen [EMAIL PROTECTED]: Oh, sorry. Not *exactly*. It's the DHCP *server* which does the DNS update. My DHCP server is firmware in my Linksys :-). Which is a Linux box, which can be upgraded ;) http://www.openwrt.org/ http://www.seattlewireless.net/index.cgi/LinksysWrt54g etc... 8-- dhcp client / server * caching dns server (with hooks to dhcp to lookup dhcp client hostnames --8 Linksys WRTG's are probably one of the nicest NAT boxes, you can even let them _route_ IPv6, including firewalling ;) (Which reminds me to simply get one so I have a very cheap spare linux box to fool around with, almost cheaper as buying vmware ;) Greets, Jeroen signature.asc Description: This is a digitally signed message part ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
Re: Why people by NATs
Oh, sorry. Not *exactly*. It's the DHCP *server* which does the DNS update. My DHCP server is firmware in my Linksys :-). well, since linksys has bundled the ISC DHCP server, perhaps you could ask them to upgrade their bundle to a more recent version, that supports DNS updates. or you could disable the linksys dhcp function and run ISC DHCP on what i'm sure is just one of many fine linux machines on your home net. the point being, there's no new protocol work called for in this thread; all you have to do is use the current features of current protocols, even if you have to change vendors to do it. -- Paul Vixie ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
Re: Why people by NATs
Jeroen Massar [EMAIL PROTECTED]: On Mon, 2004-11-29 at 01:38 -0500, Eric S. Raymond wrote: Kai Henningsen [EMAIL PROTECTED]: Oh, sorry. Not *exactly*. It's the DHCP *server* which does the DNS update. My DHCP server is firmware in my Linksys :-). Which is a Linux box, which can be upgraded ;) As the maintainer of the Linksys Blue Box Router HOWTO, I am quite well aware of this fact. And if my objective were to have exciting adventures in system and network administration, I would have reflashed my Linksys long since. I don't want to have exciting adventures in system and network administration. I want my home network to just freaking *work* so I can concentrate on the problems where my time is most valuable. -- a href=http://www.catb.org/~esr/;Eric S. Raymond/a ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
RE: Why people by NATs
Jeroen Massar wrote: What if you want to do VoIP from _multiple_ computers or even real VoIP phones. Michel Py wrote: This has never been an issue in the enterprise. Indeed not if they are keeping the traffic local or using a proxy. Then you don't have to circumvent NAT anyhow. Jeroen, this is the usual way. What I am trying to tell you is that you keep arguing about problems that don't exist. Back to the home/SIP issue: Have you seen the latest Linksys with voice? It's a regular Linksys router with the guts of a Sipura SPA-2000 ATA grafted to it. I have not seen the code for it, but it seems logical that the SIP part would not even have to cross NAT, as it is in the same box that does NAT and therefore has a straight shot at the outside IP address. What was your problem again? [Game Server] And please don't say you have to do manual port forwarding on the NAT box. You don't have to. There are several NAT traversal mechanisms that don't require manual port forwarding nor uPNP. Skype and Morpheus being examples: zero configuration, and you can place _and_ receive calls (or download _and_ share files). With Skype you can have multiple phone clients behind the NAT that can each receive calls specific to them and even call each other. And please don't say you have to do manual port forwarding on the NAT box. And let me add this: I use port forwarding preferably to uPNP. I like being the one in charge of what's happening on my network. But this is me; for Joe Six-Pack uPNP or Skype-type mechanisms are acceptable. End to end is not possible Users don't give a rip; they don't even know what it is. +-+ +---+ .--,--,--. +---+ +-+ | Game Server |--| NAT_A |--{ Internet }--| NAT_B |--| Game Client | +-+ +---+ `-,---,--' +---+ +-+ Or are you depending on a public server on the internet? Then what? You're depending on it anyway as most games will check the serial number to see if it's not pirated. Adding the NAT traversal mechanism to it, who cares? Again, don't say it does not work because it actually does. You might not like the way it is done, your problem. I'm not defending NAT, but the course of action that says people will have to use IPv6 because NAT is not working is flawed. Quoting yourself from above: This where NAT sucks: game developers have to write NAT-compatible code. I rest my case ;) That's where you are missing the point: I'm a user; I don't care if the job of game developers is harder. Economics 101: I will buy the games that work on my system which includes NAT like everyone else. I vote with my wallet, write games that cross NAT and get my money or don't and die. Though luck, but that's the way it is. Don't confuse working and sucks. The user has no idea whatsoever what it takes to cross NAT, does not care, and does not care either if you and/or the IETF consider the practice impure or heretic. - What would it buy the cybercafé owner to have IPv6? Nothing. First, if I needed IPv6 while traveling I would not rely on availability so I have my own. Second, his tunneling might be worse than my own (the cybercafé does not run BGP; I do). You run BGP where? On your laptop, tunneling IPv4/IPv6 over the cafe's IPv4/IPv6 connectivity? This does not make sense. I run BGP in California with multiple peers. In many situations, I would be better off tunneling IPv6 from Mexico to California then let the California router decide which one of the peers is the best, opposed to relying on the IPv6 provided by the cybercafé if it's a Freenet6 client that hauls the traffic back to Montreal. Not trying to point any fingers as I do not know the specifics, possibly I could even be better off tunneling IPv6 from DC/IETF back to California instead of relying on the IPv6 provided there which was quite scenic routing. Would the cybercafé owner be able to charge me $2 for 30 minutes instead of $2 per hour? No. Would I choose his cybercafé instead of the one next door if the sign said IPv6? No. The question is more: would you pay $2 for 30 minutes of non-NATted connectivity against $2 for 60 minutes of NATted and crippled connectivity ? NO! and the reason is it's not crippled: it would _not_ work smoother; it would _not_ work faster and I would have _no_ extra features. All I care is that I get a DHCP address with the default gateway a DNS server configured right. In this and many other situations being behind NAT or not does not change _anything_ in terms of usability. Easy choice for me, I rather pay a bit more for real connectivity, Geek syndrome. Lots of people on this list have a bad case of it (starting with me). For a long time, I though that the smallest acceptable home router needed redundant CPU and redundant power. My wife eventually got tired of the space, noise, heat and electric bill associated with the c7507; I just downgraded
Re: Why people by NATs
I'm sorry to reply so long after the fact, but... On 23-nov-04, at 3:12, Hans Kruse wrote: However, most SOHO sites look for a zero-order level of protection against the random worm trying to connect to an open TCP port on the average windows machine (especially one set up for file/print sharing on the SOHO network), and NAT does that just fine. IPv6 marketing has to take this into account, with a deliberate here is why the IPv6 gateway provides the same default protection as NAT... FAQ entry. Actually in IPv6 you are well-protected against random scanning withough the need for any device in the middle: a /64 subnet is so large, that scanning it is completely infeasible. Now of course someone who knows your address doesn't have to scan, so this protection isn't complete. But for TCP it's entirely trivial to only allow sessions to be set up in one direction. Full stateful firewalling is of course also possible. However, both these options bring back some of the downsides of NAT: in order to make incoming sessions possible, there must be configuration of some sort. A default filter that rejects packets for services that are generally intended for local use only would probably be good enough for a residential IPv6 router. Other services are either not enabled and/or firewalled in the host anyway, or the user actually wants them to work. (It would be incredible helpful to have all these local-use services in a fixed range of port numbers for easy filtering...) ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
Re: Why people by NATs
[EMAIL PROTECTED] (Leif Johansson) wrote on 27.11.04 in [EMAIL PROTECTED]: Jeroen Massar wrote: On Fri, 2004-11-26 at 10:11 +0100, Leif Johansson wrote: For somebody administering a network of 100 machines, the hassle cost of IP renumbering would be twenty times larger. Given this, how could anyone wonder why NAT is popular? Wrong. If you administer 100's or 1000s of machines you build or buy a system for doing address management. Renumbering is only difficult if your system is called vi :-) Wrong ;) Well at least, up to 1000 is probably doable. But what if you are talking about 100s or 1000s of organizations with each a 100 or 1000 machines. My site is 10k+ addresses. Seems easy enough to manage to me :-) If you have servers on your segment, they get addresses from the X..Y pool. Otherwise, you use DHCP, or you get fired. Something like that? Seems a fairly obvious solution. MfG Kai ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
Re: Why people by NATs
[EMAIL PROTECTED] (Eric S. Raymond) wrote on 22.11.04 in [EMAIL PROTECTED]: Fred Baker [EMAIL PROTECTED]: I submit that if your environment is at all like mine, you don't actually configure 192.168.whatever addresses on the equipment in your house. You run DHCP within the home and it assigns such. That being the case, you actually don't know or care what the addresses are on your equipment. You care that your SIP Proxy and etc know the relationships, and they derive them directly without your intervention. Actually, I do set up static addresses. I'd use DHCP, but if I did that I would not be able to refer to the machines on my local net by name. Until my DHCP client can update my DNS tables with name information on the fly, I'll keep doing doing it this way. Apple's zeroconf technology solves this problem, albeit in a slightly different way, but Linux doesn't deploy it yet. It doesn't? Then pray, what is it I use at the job that does exactly this? (Hint: ISC DHCP 3 ISC BIND 9, running on a Debian woody/sarge hybrid install.) Oh, sorry. Not *exactly*. It's the DHCP *server* which does the DNS update. I don't think my situation is unique. It's at least rather strange. MfG Kai ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
Re: Why people by NATs
Kai Henningsen [EMAIL PROTECTED]: Oh, sorry. Not *exactly*. It's the DHCP *server* which does the DNS update. My DHCP server is firmware in my Linksys :-). -- a href=http://www.catb.org/~esr/;Eric S. Raymond/a ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
Re: Why people by NATs
At 03:53 27/11/2004, [EMAIL PROTECTED] wrote: On Sat, 27 Nov 2004 02:33:54 +0100, JFC (Jefsey) Morfin said: But why to spend time and money and to take risks to change something which is not broken. IPv6 has no problem in keeping the same host numbers if the used addressing plan uses a numbering scheme designed with that purpose in mind, like the telephone numbering scheme. You change of telephone providers - or use several at the same time - without changing number. That's because the phone number is more akin to a DNS name than an IP address. I'm pretty sure that if you investigate the insides of how the telco system makes that transparent provider-change work, you'd not be as interested in using it as an example. (Or did you *want* to go back to the days when routing tables were shipped around and installed on the fuzzballs twice a week? I got tired of *that* back in 1984. And back then, the routing tables were only a few hundred lines long, not the 150K routes we have now...) Dear Valdis, OK, I will document it more. Back in 1978 when we introduced the structured naming on the public international packet switch network, we based it upon a routing technology separating addresses from routing. This is why *since its inception* I am tired by dumb table routing. As Harald puts it: IETF is to maintain IPv4, develop IPv6 and imagine mobile IP. I submit these are totally different problems than to analyze and build from an existing solution, and to analyze a need and design a new solution. So, please let use the past as a bank of experience, but let not talk of going back when referring to analyzes also used (and tested) in the past. We simply know them better. Call establishment needs four informations: - (a) where the caller calls from - (b) how the caller identifies the callee in a directory of called addresses - (c) how the callee designates himself in a directory of called addresses - (d) routing information from caller to callee From Internet past usage (b) is named name and uses structured 0-Z numbers, (c) is named IP address and uses 0-255 numbers also expressed in 0-9 and (d) uses various information sources and systems (DNS, header of the address, routing tables). This results from an optimization and network principles based upon Louis Pouzin's catenet principles and Vint's generalization (EIN78) backing in 1974/1978. This is a cute compromise between the distributed nature of the needs and the centralization required by the computer capacity of the time, in a decentralized academic governance : it works well for 30 years. Other communications systems had, have and will have different compromises. For example, telephone has its own compromises you refer to. This leads to a hierarchical vision described as network of the networks. I submit that this time is over and that the current usage paradigm (hence the usage specification trend) is far more subtle. I would describe it as a continuity of involvements. As you say, these compromises were over a few lines. They supported well the growth because of the growth of the computer power and the decrease of the prices. This have hidden that the constraints which lead to these compromise exist no more, and that new - far more user oriented - constraints appeared which should lead to new compromises. This is all what I try to make accepted and introduced in the Internet standard process in being in here. From the current regulatory thinking evolution, I see that - considering a telephone number as a sequentially distributed ID nationwide, - and to attach in it service information (a service prefix) rather than routing information (area code) are for the few years to come concepts they _want_ to publicly investigate. IMHO, that approach addresses most of the addressing reasons NATs are used for, since host/subhost addresses are stable and quite unlimited. But it is true that this could lead gigantic tables size and to an incredible processing if we wanted to have the QoS we initially had on the international public network before OSI. Or to keep and better the current telephone call establishment QoS. I submit that this problem is far easy to solve than when it was investigated 30 years ago. Because of the experience of the last 30 years, and because of the network capacity/computer power of today (150 K is a big spam mail size. Every morning my AVG loads a 1.5 Meg update and rebuilds my tables). So, I am not concerned by the size to load and by the refresh. But I am concerned by the table size with the growth in the number of what could be wild IP addresses and the resulting CPU load on routers. This is why I submit that what we name an IP address, should be understood as an IPv6 header container for call management matrix as much as it is an IPv4 longer addresses to transparently migrate from IPv4 to NGN. This management matrix could for example contain: - the numbering plan block (for example
Re: Why people by NATs
Jeroen Massar wrote: On Fri, 2004-11-26 at 10:11 +0100, Leif Johansson wrote: For somebody administering a network of 100 machines, the hassle cost of IP renumbering would be twenty times larger. Given this, how could anyone wonder why NAT is popular? Wrong. If you administer 100's or 1000s of machines you build or buy a system for doing address management. Renumbering is only difficult if your system is called vi :-) Wrong ;) Well at least, up to 1000 is probably doable. But what if you are talking about 100s or 1000s of organizations with each a 100 or 1000 machines. My site is 10k+ addresses. Seems easy enough to manage to me :-) ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
RE: Why people by NATs
On Thu, 2004-11-25 at 14:53 -0800, Michel Py wrote: Jeroen Massar wrote: What if you want to do VoIP from _multiple_ computers or even real VoIP phones. This has never been an issue in the enterprise. Indeed not if they are keeping the traffic local or using a proxy. Then you don't have to circumvent NAT anyhow. SNIP Or something nice as setting up a gameserver behind your NAT. Newer game protocols work fine over NAT. Please tell me how to setup a eg Doom III, Halflife2 server behind a NAT and let other people on the internet connect to it. Thus to draw a picture for you: +-+ +-+ .--,--,--. +-+ | Game Server |-| NAT Box |{ Internet }--| Game Client | +-+ +-+ `-,---,--' +-+ This maybe works if you have an uPnP compatible NAT and when above two support uPnP, but afaik both don't support that. And please don't say you have to do manual port forwarding on the NAT box. End to end is not possible in the above, or an even more common situation, because of course ISP's have to few IPv4 addresses and IPv4 addresses are expensive thus they charge you for it, thus most people only get 1 IP address, because there simply isn't an alternative in most cases (ISP's should charge for traffic not IP's): +-+ +---+ .--,--,--. +---+ +-+ | Game Server |--| NAT_A |--{ Internet }--| NAT_B |--| Game Client | +-+ +---+ `-,---,--' +---+ +-+ How will this work? Open 'known ports' on each NAT box? What if you have two brothers behind NAT_B who want to play a competition to the two sisters running the Game Server behind NAT_A? Won't work now will it. Or are you depending on a public server on the internet? Guess why there are hosting companies selling Game Server packages and they earn a lot of centavos with that, apparently for them it is not so hard to get enough IP's, may they be IPv4 or IPv6. This where NAT sucks: game developers have to write NAT-compatible code. But they do: contrary to IPv6 which is optional, NAT support has become mandatory. No NAT support no sales. No IPv6 support nobody gives a rip. Chicken and egg, you know the problem quite well. They could easily support it, but for some reason they don't. I actually wonder why, because it is not hard at all to do it. For the coder folks: http://gsyc.escet.urjc.es/~eva/IPv6-web/ipv6.html Tell me: which game would you be playing? 1. The game that works over IPv4 NAT. 2. The game that works only over IPv4 no-NAT. 3. The game that works only over IPv6. Nobody demands an IPv6-only anything. Dual-stack is the keyword everywhere in all the transition documents I have seen. Answer: 1. Because 2 does not exist (save for the hacked Quake done by our Viagenie friends) and 3 does not sell because NAT is the standard setup these days. Have a good frag with yourself with IPv6. You mix up 23 here, but absolutely correct, when there is no chicken, there will be no egg. Someone has to start doing it and then it will come by itself. Nevertheless, most homes currently only consist of maybe 3 Ethernet segments Where does this come from? 99.9% of home/SOHO setups consist of _one_ Ethernet segment. Read the maybe part, I should have inserted a 'max' here though. I'm not defending NAT, but the course of action that says people will have to use IPv6 because NAT is not working is flawed. Quoting yourself from above: This where NAT sucks: game developers have to write NAT-compatible code. I rest my case ;) What if I wanted to use IPv6 in Mexico while on vacation? I actually could: I would have to tunnel it over IPv4 over double NAT. - What would it buy me? Nothing. - What would it cost me? Configuration time. Not too bad, but do you realize know how hard it is to configure a network with the laptop on your lap, a hand holding the pinacolada glass (harder than Noel's) and your eyes looking at the chiquitas on the beach? Freenet6 has had this nice automatic tunneling tool for quite some time already. Oh and due to the many people behind NAT's it also crosses that. And I know another effort who can do this. Not even mentioning VPN's (IPv4 and IPv6 over NAT :) which seem to be your solution of choice. - What would it buy the cybercaf owner to have IPv6? Nothing. First, if I needed IPv6 while traveling I would not rely on availability so I have my own. Second, his tunneling might be worse than my own (the cybercaf does not run BGP; I do). You run BGP where? On your laptop, tunneling IPv4/IPv6 over the cafe's IPv4/IPv6 connectivity? This does not make sense. Would the cybercaf owner be able to charge me $2 for 30 minutes instead of $2 per hour? No. Would I choose his cybercaf instead of the one next door if the sign said IPv6? No. The question is more: would you pay $2 for 30 minutes of non-NATted connectivity against $2 for 60
Re: Why people by NATs
For somebody administering a network of 100 machines, the hassle cost of IP renumbering would be twenty times larger. Given this, how could anyone wonder why NAT is popular? Wrong. If you administer 100's or 1000s of machines you build or buy a system for doing address management. Renumbering is only difficult if your system is called vi :-) MVH leifj ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
RE: Why people by NATs
Peter Ford wrote: I do vehemently agree with your last paragraph. In some sense, you are saying that NAT is an intrinsic part of the nominal residential gateway (could be expanded for soho and small/medium business). Eric S. Raymond wrote Indeed. I think this is true. There is nothing more truely than this. Before all this half-true-half-false discussion about the relation between NAT and security, the primary reason early users bought Linksys and precursors was for the NAT feature. NAT is an intrinsic part not only of the nominal residential gateway but also of many larger networks. Several people on this list have tried to tell me that I don't really want the IP address space on my local net to be decoupled from the server address. They are wrong. I want to be able to change ISPs by fixing *one* IP address in *one* place, and I want to control the mapping from global IP addresses to local ones. This desire has nothing to do with IPv4 vs. IPv6 and everything to do with wanting to be able to make only small, conservative changes in my network configuration rather than having to completely disrupt it. Once again, I don't think my situation is unique. Of course it's not, you are among the millions that do the same. For somebody administering a network of 100 machines, the hassle cost of IP renumbering would be twenty times larger. It's actually a lot worse than many think. Anyone here that has actually done it cares to comment on how easy and fast it is to renumber a Windows Domain Controller that is a global catalog server and an operations master? :-D Michel. ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
Re: Why people by NATs
On Sat, 27 Nov 2004 02:33:54 +0100, JFC (Jefsey) Morfin said: But why to spend time and money and to take risks to change something which is not broken. IPv6 has no problem in keeping the same host numbers if the used addressing plan uses a numbering scheme designed with that purpose in mind, like the telephone numbering scheme. You change of telephone providers - or use several at the same time - without changing number. That's because the phone number is more akin to a DNS name than an IP address. I'm pretty sure that if you investigate the insides of how the telco system makes that transparent provider-change work, you'd not be as interested in using it as an example. (Or did you *want* to go back to the days when routing tables were shipped around and installed on the fuzzballs twice a week? I got tired of *that* back in 1984. And back then, the routing tables were only a few hundred lines long, not the 150K routes we have now...) pgpNB0gIAMcIF.pgp Description: PGP signature ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
RE: Why people by NATs
Jeroen Massar wrote: What if you want to do VoIP from _multiple_ computers or even real VoIP phones. This has never been an issue in the enterprise. In the typical enterprise VOIP design (if there is such thing) there's no way an IP phone could have direct access to the Internet, for the same reasons there's no way a PC could have direct access to the Internet. PCs use either a proxy server or a firewall with content filtering, IP phones use an enterprise registration server that also provides AAA. Link to POTS is provided by a specialized box (universal access server for big setups or low-end router with DSP add-ons for smaller ones), as your enterprise voice dude does not want you to call 1-900-GET-PR0N over IP more than your enterprise data dude wants you to surf www.whitehouse.com. In many situations, the VOIP protocol used inside the enterprise is proprietary: recently I have seen more IP phones using Skinny than all the other protocols combined. Do the Skinny phones access the Internet? No. Is it a problem? No. If a Skinny phone wants to talk to a SIP phone, it uses a gateway. For what I have seen, it does not appear much more difficult to make a Call Manager server talk to a SIP server than two SIP servers together. Even in an IPv6-only world, the IPv4 VOIP system would still work: phones already have an identifier (the phone number) different from the locator (the IPvX address); all that would be required would be an IPv4 - IPv6 gateway. Or something nice as setting up a gameserver behind your NAT. Newer game protocols work fine over NAT. This where NAT sucks: game developers have to write NAT-compatible code. But they do: contrary to IPv6 which is optional, NAT support has become mandatory. No NAT support no sales. No IPv6 support nobody gives a rip. Tell me: which game would you be playing? 1. The game that works over IPv4 NAT. 2. The game that works only over IPv4 no-NAT. 3. The game that works only over IPv6. Answer: 1. Because 2 does not exist (save for the hacked Quake done by our Viagenie friends) and 3 does not sell because NAT is the standard setup these days. Have a good frag with yourself with IPv6. Nevertheless, most homes currently only consist of maybe 3 Ethernet segments Where does this come from? 99.9% of home/SOHO setups consist of _one_ Ethernet segment. Even at home, the VOIP/NAT issue does not strike me. I have two H.323 internal numbers (had them forever) and two SIP external numbers on a single IP at home (this has not been working until recently). If your NAT supports SIP and STUN (they will all do at some point) you don't have a problem. I'm not defending NAT, but the course of action that says people will have to use IPv6 because NAT is not working is flawed. The VOIP issue reminds me of VPN issues in the past: yes there were days when PPTP would not cross NAT and there were days when IPSEC would not cross NAT. These days are gone. I currently am on vacation in Mexico; hotels typically don't have high-speed access, and phone calls are an absolute rip-off not to mention dog-slow. Fortunately there are cybercafés (cheap, $2/hour, DSL speed) all over the place. These are small shops that typically have a basic DSL line (1024/128) and Linksys/3Com residential type NAPT box. Each time I hooked up I got an RFC1918 address behind NAT. Guess what: my VPNs work, my Skype works and my Skinny client works (kinda, too much jitter). In 6 months or a year you won't hear the SIP/NAT problem anymore (just like you don't hear about VPN across NAT issues anymore), which takes care of the home/SOHO issue. And, as mentioned above, the issue does not really exist in the enterprise. The proof is in the pudding: if you read this, it has crossed NAT _at least_ three times already: at the cybercafé in Mexico. At my home connecting my Outlook in Mexico to the Exchange server in California across the VPN tunnel. From the Exchange server to your SMTP server egress. What if I wanted to use IPv6 in Mexico while on vacation? I actually could: I would have to tunnel it over IPv4 over double NAT. - What would it buy me? Nothing. - What would it cost me? Configuration time. Not too bad, but do you realize know how hard it is to configure a network with the laptop on your lap, a hand holding the pinacolada glass (harder than Noel's) and your eyes looking at the chiquitas on the beach? - What would it buy the cybercafé owner to have IPv6? Nothing. First, if I needed IPv6 while traveling I would not rely on availability so I have my own. Second, his tunneling might be worse than my own (the cybercafé does not run BGP; I do). Would the cybercafé owner be able to charge me $2 for 30 minutes instead of $2 per hour? No. Would I choose his cybercafé instead of the one next door if the sign said IPv6? No. - What would it cost the cybercafé owner to have IPv6? Lots of money, especially in pesos. First, replace this $50 NAT box with an
Re: Why people by NATs
On Mon, 2004-11-22 at 14:49 -0500, Eric S. Raymond wrote: Fred Baker [EMAIL PROTECTED]: I submit that if your environment is at all like mine, you don't actually configure 192.168.whatever addresses on the equipment in your house. You run DHCP within the home and it assigns such. That being the case, you actually don't know or care what the addresses are on your equipment. You care that your SIP Proxy and etc know the relationships, and they derive them directly without your intervention. Actually, I do set up static addresses. I'd use DHCP, but if I did that I would not be able to refer to the machines on my local net by name. I do hope that you know you can assign 'static' addresses based on MAC address and a number of other properties that the dhcp client provides. The dhcp server will then just assign the configured prefix. This is actually what most ISP's use, but they will only give people one IP. Until my DHCP client can update my DNS tables with name information on the fly, I'll keep doing doing it this way. Apple's zeroconf technology solves this problem, albeit in a slightly different way, but Linux doesn't deploy it yet. Even Windows can do that ;) But so can any UNIX or basically anything where you can compile bind utils on: http://ops.ietf.org/dns/dynupd/secure-ddns-howto.html or the exact same thing but for Windows: http://unfix.org/~jeroen/archive/Windows_DynamicDNS_Update.zip Greets, Jeroen signature.asc Description: This is a digitally signed message part ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
Re: Why people by NATs
On Mon, Nov 22, 2004 at 05:11:26PM +0100, Jeroen Massar wrote: Depends on the type of home user ;) Nevertheless, most homes currently only consist of maybe 3 ethernet segments (wired, wireless, office or something) and maybe a max of 20 hosts. Changing the IP's of those hosts should not be a problem even if you had to do it manually. Most of these NAT boxes come with built-in DHCP support, hopefully the will come with IPv6 and RA and maybe DHCPv6 support too in the near future (Yamaha has them already :) Or you just modify a Linksys router :) -- Tim ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
Re: Why people by NATs
On Mon, Nov 22, 2004 at 10:44:07AM -0800, Fred Baker wrote: At 01:05 PM 11/22/04 -0500, Richard Shockey wrote: Yes Fred I would _expect_ my ISP to sell me a /64 but at what price? It continues to amaze me that no one discussing the IP V6 adoption issues will focus attention on the obvious question ..what is it going to cost me? Is there any way the engineer can predict that or control it? What the architecture has made exceedingly clear is that the ISP can't expect to dole out /128 prefixes, and has no incentive to. It could state that it wants to only do address autoconfiguration on its interfaces, and it could watch its customers vote with their feet. ISPs aren't that stupid, I don't think. They understand what Linksys has done with their market. The fact that some European providers have been allocated a /20 shows they have a plan to allocate /48's to millions of customers; ap lan at least convincing enough to the RIR. So certainly not a /128, and probably not a /64 :) -- Tim ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
Re: Why people by NATs
On Tue, 2004-11-23 at 12:17 +, Tim Chown wrote: On Mon, Nov 22, 2004 at 05:11:26PM +0100, Jeroen Massar wrote: Depends on the type of home user ;) Nevertheless, most homes currently only consist of maybe 3 ethernet segments (wired, wireless, office or something) and maybe a max of 20 hosts. Changing the IP's of those hosts should not be a problem even if you had to do it manually. Most of these NAT boxes come with built-in DHCP support, hopefully the will come with IPv6 and RA and maybe DHCPv6 support too in the near future (Yamaha has them already :) Or you just modify a Linksys router :) Ack, nicely turn that NAT box into a real router by flashing it with a This is unfortunately not something that most people dare to do. Then again, I know that quite a lot of people 'upgraded' their SpeedTouch Home's to Pro's for somewhat the same purpose. And for that matter a lot of people upgrade their Xboxes, PS2's etc. There is always somebody who can do this around. I understood there where Seasoft firmwares for above linksys's that even have aiccu preloaded on it, so that the box can very easily build an IPv6 tunnel in cases there is no native connectivity ;) Greets, Jeroen signature.asc Description: This is a digitally signed message part ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
Re: Why people by NATs
On Tue, Nov 23, 2004 at 01:44:30PM +0100, Jeroen Massar wrote: On Tue, 2004-11-23 at 12:17 +, Tim Chown wrote: On Mon, Nov 22, 2004 at 05:11:26PM +0100, Jeroen Massar wrote: Depends on the type of home user ;) Nevertheless, most homes currently only consist of maybe 3 ethernet segments (wired, wireless, office or something) and maybe a max of 20 hosts. Changing the IP's of those hosts should not be a problem even if you had to do it manually. Most of these NAT boxes come with built-in DHCP support, hopefully the will come with IPv6 and RA and maybe DHCPv6 support too in the near future (Yamaha has them already :) Or you just modify a Linksys router :) Ack, nicely turn that NAT box into a real router by flashing it with a This is unfortunately not something that most people dare to do. Then again, I know that quite a lot of people 'upgraded' their SpeedTouch Home's to Pro's for somewhat the same purpose. And for that matter a lot of people upgrade their Xboxes, PS2's etc. There is always somebody who can do this around. I didn't say that your mother could do this, but given that some amateurs have already modified the Linksys to do v6 then it would not be difficult for Cisco/Linksys to do so in a short timeframe, if they chose to. As for NAT, then v4+NAT dual-stack IPv6 will be very common. -- Tim ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
Re: Why people by NATs
On Tue, 23 Nov 2004, Tim Chown wrote: On Tue, Nov 23, 2004 at 01:44:30PM +0100, Jeroen Massar wrote: On Tue, 2004-11-23 at 12:17 +, Tim Chown wrote: On Mon, Nov 22, 2004 at 05:11:26PM +0100, Jeroen Massar wrote: Depends on the type of home user ;) Nevertheless, most homes currently only consist of maybe 3 ethernet segments (wired, wireless, office or something) and maybe a max of 20 hosts. Changing the IP's of those hosts should not be a problem even if you had to do it manually. Most of these NAT boxes come with built-in DHCP support, hopefully the will come with IPv6 and RA and maybe DHCPv6 support too in the near future (Yamaha has them already :) Or you just modify a Linksys router :) Ack, nicely turn that NAT box into a real router by flashing it with a This is unfortunately not something that most people dare to do. Then again, I know that quite a lot of people 'upgraded' their SpeedTouch Home's to Pro's for somewhat the same purpose. And for that matter a lot of people upgrade their Xboxes, PS2's etc. There is always somebody who can do this around. I didn't say that your mother could do this, but given that some amateurs have already modified the Linksys to do v6 then it would not be difficult for Cisco/Linksys to do so in a short timeframe, if they chose to. As for NAT, then v4+NAT dual-stack IPv6 will be very common. And from a dual stack v4+NAT/ v6 implementation over a year old, a very effective solution. Scott -- Tim ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf sleekfreak pirate broadcast http://sleekfreak.ath.cx:81/ ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
RE: Why people by NATs
shogunx wrote: ... Ok. I'll bite. Who do you propose to tunnel to by default in all these embedded devices? Do you give users a choice of tunnel brokers? Does it work out of the box? Do you give them one address, or how large an allocation, or what? RFC 3056 /or draft-huitema-v6ops-teredo-02.txt See: www.threedegrees.com for an IPv6-only application that already leverages automated tunneling so the end user is completely unaware of IPv6 as a technology requirement. Tony ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
RE: Why people by NATs
Richard Shockey wrote: ... Yes deployment will be gated by economic factors. The problem the IETF and the transit network operator community keep overlooking is that the economic costs are not down in the plumbing. The costs are in application development and end system/lan administration. This is an excellent point that focuses on the real issue of economics. If these inhibitors can be more specifically quantified I'd feel a lot more hopeful that one could create a pricing model that drives demand. Therein lays the problem. Quantifying something that is widely distributed in small pockets is very difficult. At one point a few years ago I was aware of 5 different teams working on nat traversal mechanisms for their specific application. This was all within one company. Not only were they unaware of each other, they were so focused on solving their specific task that they couldn't consider trying to generalize to consolidate their efforts. So you would say the transit operators will not SELL the product since the customer ( end user and or enterprise) cannot support it or they cannot afford the upgrades to existing edge infrastructure (Cisco, Juniper, usual suspects, MS etal ) necessary to support the transition? The point is they can't sell you new plumbing unless you know the existing pipes are not doing the job. Even then people only buy the plumbing to accomplish the end use application. The plumbing is not a goal in itself, and therefore doesn't really qualify as a marketable product. Part of the problem of course is the false perception .. perpuated by countless commentators that NAT's are a better security measure than firewalls. One goal of the NAP document is to point out that a nat may be simpler than traditional corporate firewalls, but it is not 'better security'. I still think V4 to V6 pricing for numbering will and should play a role. Numbers have no value. I understand service providers get away with charging for numbers in IPv4, but that is an artificial market created by the real scarcity. Once the application development community recognizes that it is cheaper for them to build over IPv6 than to retain small armies to develop nat workaround hacks or deal with the additional support costs from that complexity, and that through tunneling they don't have to wait for lethargic operators to move first, there will be plenty of economic motivation for deployment. Well the good news is that SIP principally among other new and emerging realtime applications driven by explosive residential broadband deployment is forcing the issue. The potential exists, but quantifying the development and complexity of operation costs that are spread around the edge is still a challenge. The frog is in the pot and the water temperature is rising. Given the general state of denial it is likely that the water will boil before the dead frog wakes up to notice. Well if the frog is V4 let it cook ... Well in this case the IETF is the one in the hot water. Tony ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
Re: Why people by NATs
On Tue, 23 Nov 2004 13:44:30 +0100, Jeroen Massar said: Ack, nicely turn that NAT box into a real router by flashing it with a This is unfortunately not something that most people dare to do. Then again, I know that quite a lot of people 'upgraded' their SpeedTouch Argh. Flashing it with a *what*?? Toss us a bone or a URL or something :) pgpHVK8mmhxED.pgp Description: PGP signature ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
Re: Why people by NATs
At 06:00 PM 11/22/2004, Fred Baker wrote: At 12:10 PM 11/22/04 -0800, Chris Palmer wrote: There's another feature of NAT that is desirable that has not yet been mentioned, and which at least some customers may be cognizant of: the fact that NAT is a pretty restrictive firewall. would that it were true. In fact, it is pretty easy to breech. All one has to do is ddos with a the right port prefix, observe a response of any kind, and you can ddos right through it. I take it Cisco NAT implementations are not very well implemented then. An actual stateful firewall is a good thing. NAT mostly has the effect of deluding the person behind it into thinking they have a security solution. Stop there. Fred, I am sure you've read or written the code to implement: a) a stateful inspection firewall b) a NAPT implementation (what most folks think of when they talk about NAT). The code is NEARLY identical. In fact, the lookup tables used just need an extra column to track some additional information. Please stop with the argument that NAT and stateful inspection firewalls are different beasts. The software to implement them is basically identical. If you dislike NATs, say so, but this old argument about NAT boxes not providing security provided by stateful inspection firewalls is just not an honest one. ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
Re: Why people by NATs
On Tue, 2004-11-23 at 19:02 -0500, Daniel Senie wrote: At 06:00 PM 11/22/2004, Fred Baker wrote: At 12:10 PM 11/22/04 -0800, Chris Palmer wrote: There's another feature of NAT that is desirable that has not yet been mentioned, and which at least some customers may be cognizant of: the fact that NAT is a pretty restrictive firewall. would that it were true. In fact, it is pretty easy to breech. All one has to do is ddos with a the right port prefix, observe a response of any kind, and you can ddos right through it. I take it Cisco NAT implementations are not very well implemented then. Well, in this case I can't blame Cisco, because NAT's are simply made to be implemented well. An actual stateful firewall is a good thing. NAT mostly has the effect of deluding the person behind it into thinking they have a security solution. Stop there. Fred, I am sure you've read or written the code to implement: a) a stateful inspection firewall b) a NAPT implementation (what most folks think of when they talk about NAT). The code is NEARLY identical. In fact, the lookup tables used just need an extra column to track some additional information. That two tools both use bubblesort doesn't mean they fulfill the same function. The same with a lookup table function. Please stop with the argument that NAT and stateful inspection firewalls are different beasts. They are very different. A tiger and a little pussy cat, which one do you pet and take into your lap? Two different beast, though they look the same... The software to implement them is basically identical. If you dislike NATs, say so, but this old argument about NAT boxes not providing security provided by stateful inspection firewalls is just not an honest one. A NAT does not provide security as a NAT doesn't have any rules. Also note that there is usually a _seperate_ firewall component in common NAT boxes (and please don't call them routers as they are not) this is the thing that gives the machine it's little bit of 'security', not that anyone tinkers with the rules, thus keeping the box wide open. Greets, Jeroen signature.asc Description: This is a digitally signed message part ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
Why people by NATs
Peter Ford [EMAIL PROTECTED]: Run a market survey and you will find out why people buy these NAT devices. It shouldn't be that hard, you can hire one of many consumer research firms to do that kind of quantative research for you. Who needs market research? All you have to do is look at the cost-feature profile of the most popular NATs and notice who they were designed for. Those vendors have already done the market research and bet real money on the results. Downstairs in my basement I have a Linksys firewalling router that does NAT. Like millions of other SOHO users, I needed NAT in order to be able to connect a home network of multiple machines to a DSL or cable line. The ISP gave me only one IP address; the NAT allows me to have several clients and one server behind it. (This particular box, as is now common, is also a WiFI access point.) The other thing NAT does is allow me to decouple my local IP addresses from the ISP's assignment. So all my local machines can keep 192.168.1.x regardless of what address the world thinks my server has. Because I have a static address (66.92.53.140) this is merely a convenience that would make it easy for me to change ISPs if I had to; if, like many ISP users, I had a DHCP-allocated dynamic one, it would be a necessity. To sum up, NAT gives me two features: 1. Multiple machines on the single-address allocation the ISP gives me. 2. Decoupling of mt local network addresses from the ISP assignment. The Linksys, which is probably the single most popular brand, was designed for exactly this set of requirements. So are most of its competition -- the Belkins, the Netgears, the AirStations, etc. I hear a lot of muttering about NATs being evil. I really don't have an opinion on the subject -- I understand some of the theoretical problems, but they've never bitten me. So, asking as a network administrator, how would the implied problems be solved in an IPv6 world? -- a href=http://www.catb.org/~esr/;Eric S. Raymond/a ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
Re: Why people by NATs
On Mon, Nov 22, 2004 at 09:44:18AM -0500, Eric S. Raymond wrote: To sum up, NAT gives me two features: 1. Multiple machines on the single-address allocation the ISP gives me. 2. Decoupling of mt local network addresses from the ISP assignment. I hear a lot of muttering about NATs being evil. I really don't have an opinion on the subject -- I understand some of the theoretical problems, but they've never bitten me. So, asking as a network administrator, how would the implied problems be solved in an IPv6 world? For #1, you use IPv6 globals on link for the global connections. For #2, you could (if you wanted) use IPv6 ULAs for intra-site connectivity, if you didn't want to contemplate using globals and renumbering on changing ISP (which is a rare events for a home user?) With IPv6, you don't have to play port mapping shennanigans to have (for example) multiple web servers on your home intranet accessible from outside, but until you have that type of requirement (access into your home net) then you don't see the main advantage. You can run v4+NAT alongside v6 quite happily too, so use v4 for legacy apps like mail and web browsing to external sites and v6 for new apps where you might want to talk direct to peers that would otherwise be behind v4 NATs. -- Tim ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
Re: Why people by NATs
On Mon, 2004-11-22 at 15:52 +, Tim Chown wrote: On Mon, Nov 22, 2004 at 09:44:18AM -0500, Eric S. Raymond wrote: To sum up, NAT gives me two features: 1. Multiple machines on the single-address allocation the ISP gives me. 2. Decoupling of mt local network addresses from the ISP assignment. I hear a lot of muttering about NATs being evil. I really don't have an opinion on the subject -- I understand some of the theoretical problems, but they've never bitten me. So, asking as a network administrator, how would the implied problems be solved in an IPv6 world? The internet does not only consist of HTTP pages. What if you want to do VoIP from _multiple_ computers or even real VoIP phones. Or something nice as setting up a gameserver behind your NAT. Won't work. That many applications have a lot of tricks to circumvent NAT's, mostly by using some external un-nat-ted server, that is sheer luck, it still is not end to end. For #1, you use IPv6 globals on link for the global connections. For #2, you could (if you wanted) use IPv6 ULAs for intra-site connectivity, if you didn't want to contemplate using globals and renumbering on changing ISP (which is a rare events for a home user?) Depends on the type of home user ;) Nevertheless, most homes currently only consist of maybe 3 ethernet segments (wired, wireless, office or something) and maybe a max of 20 hosts. Changing the IP's of those hosts should not be a problem even if you had to do it manually. Most of these NAT boxes come with built-in DHCP support, hopefully the will come with IPv6 and RA and maybe DHCPv6 support too in the near future (Yamaha has them already :) Greets, Jeroen signature.asc Description: This is a digitally signed message part ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
Re: Why people by NATs
At 09:44 AM 11/22/04 -0500, Eric S. Raymond wrote: Who needs market research? All you have to do is look at the cost-feature profile of the most popular NATs and notice who they were designed for. Those vendors have already done the market research and bet real money on the results. Yes, but be careful with that. What has happened at Linksys and others is that they have come up with a simple configuration that allows them to sell a pre-configured device to a client, advertise a few features that clients like, and sell them like hotcakes with little or no support costs. What the customer is buying is not, in most cases, uses private addressing to separate your IP address space from that of your ISP so that if you move you will not have to reconfigure things. That may be what Linksys etc is selling, but what the customer is buying is plug it in and it will work. Any configuration that gives the customer simplicity of implementation by a non-expert in the technology will meet their needs. To sum up, NAT gives me two features: 1. Multiple machines on the single-address allocation the ISP gives me. 2. Decoupling of mt local network addresses from the ISP assignment. I hear a lot of muttering about NATs being evil. I really don't have an opinion on the subject -- I understand some of the theoretical problems, but they've never bitten me. So, asking as a network administrator, how would the implied problems be solved in an IPv6 world? In an IPv6 world, I would expect your ISP to sell you a /64 at one price or a /48 at another. The /48 is for if you will subnet behind your firewall, which is to say if you are a business. What your Linksys gives you is a fairly common residential configuration - a single LAN encompassing your home. With said /64, you have 2^64 addresses inside your home. How much equipment did you say you had? I submit that if your environment is at all like mine, you don't actually configure 192.168.whatever addresses on the equipment in your house. You run DHCP within the home and it assigns such. That being the case, you actually don't know or care what the addresses are on your equipment. You care that your SIP Proxy and etc know the relationships, and they derive them directly without your intervention. The one address you actually do care about is that of the server you mentioned. If the server is behind the NAT, you have a configuration on the Linksys that translates a certain set of TCP and UDP port numbers when addressed to the Linksys to the interior address of the server, and when you change ISPs you will have to change that configuration. Frankly, while the task is different, I don't see a large workload difference between changing that configuration and changing a similar configuration that poked an incoming hole for web and mail traffic to your web and mail servers. So I will argue that the value of (2) is ephemeral. It is not an objective, it is an implementation, and in an IPv6 world you would implement in a slightly different fashion. ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
Re: Why people by NATs
At 08:33 AM 11/22/04 -0800, Fred Baker wrote: The one address you actually do care about is that of the server you mentioned. If the server is behind the NAT, you have a configuration on the Linksys that translates a certain set of TCP and UDP port numbers when addressed to the Linksys to the interior address of the server, and when you change ISPs you will have to change that configuration. Frankly, while the task is different, I don't see a large workload difference between changing that configuration and changing a similar configuration that poked an incoming hole for web and mail traffic to your web and mail servers. Did I mention Dynamic DNS? If your server is capable of interacting with your DNS server (that's a question, some are and some aren't), Dynamic DNS can eliminate the need to concern yourself with the server address. ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
Re: Why people by NATs
On 11/22/2004 11:33 AM, Fred Baker wrote: So I will argue that the value of (2) is ephemeral. It is not an objective, it is an implementation, and in an IPv6 world you would implement in a slightly different fashion. That's right--the device would get a range (or block) of addresses and then either do a 6-to-4 gateway conversion on those addresses (still using 192.168.*.*) or assign v6 directly (if that option had been enabled) but would still use DHCP for those assignments. Server-specific holes in the incoming connection table would still have to be managed, with a default deny policy. Very similar but still different. One potentially technical hurdle here is the way that the device discovers that a range/block of addresses is available to it. Some kind of DHCP sub-lease, or maybe a collection of options (is it a range of addresses or an actual subnet? how big is it, and does that include net/bcast addresses?),is going to be required. So it would obviously be useful that Linksys et al make sure that the specs are there to help them continue providing the same kind of high-value low-management experience. This is the kind of cross-industry participation I'm talking about needing. -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/ ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
Re: Why people by NATs
At 11:33 AM 11/22/2004, Fred Baker wrote: At 09:44 AM 11/22/04 -0500, Eric S. Raymond wrote: Who needs market research? All you have to do is look at the cost-feature profile of the most popular NATs and notice who they were designed for. Those vendors have already done the market research and bet real money on the results. Has anyone mentioned that ISP's charge a absurd premium for multiple static V4 IP numbers in residential markets saying ..oh thats a business service. NAT's exist because IP numbers are made artificially expensive by ISP's. Yes, but be careful with that. What has happened at Linksys and others is that they have come up with a simple configuration that allows them to sell a pre-configured device to a client, advertise a few features that clients like, and sell them like hotcakes with little or no support costs. What the customer is buying is not, in most cases, uses private addressing to separate your IP address space from that of your ISP so that if you move you will not have to reconfigure things. That may be what Linksys etc is selling, but what the customer is buying is plug it in and it will work. Any configuration that gives the customer simplicity of implementation by a non-expert in the technology will meet their needs. To sum up, NAT gives me two features: 1. Multiple machines on the single-address allocation the ISP gives me. 2. Decoupling of mt local network addresses from the ISP assignment. I hear a lot of muttering about NATs being evil. I really don't have an opinion on the subject -- I understand some of the theoretical problems, but they've never bitten me. So, asking as a network administrator, how would the implied problems be solved in an IPv6 world? In an IPv6 world, I would expect your ISP to sell you a /64 at one price or a /48 at another. The /48 is for if you will subnet behind your firewall, which is to say if you are a business. What your Linksys gives you is a fairly common residential configuration - a single LAN encompassing your home. Yes Fred I would _expect_ my ISP to sell me a /64 but at what price? It continues to amaze me that no one discussing the IP V6 adoption issues will focus attention on the obvious question ..what is it going to cost me? Would some nice US DSL provider out there sell me 6M ADSL transport and a V6 /64 for about $49.95 please? I'll even sign a long term contract !! If the RIR's could enforce downstream pricing policy on the IS's for V6 numbering resources we might have a chance. BTW there is an analogy brewing in VoIP. There are proposals out there in some countries to tax phone numbers in order to support universal service efforts. A noble goal to be sure ..but the economic effect will be create a disincentive for the use of phone numbers and potentially move consumers towards the use of URI's for phone dialing. Now that may or may not be a bad idea either but it should highlight that if you price a product ( numbering ) too high people will look for ways to route around it. NAT's have been the inevitable answer to the poor pricing policy of IP numbering. Richard Shockey, Senior Manager, Strategic Technology Initiatives NeuStar Inc. 46000 Center Oak Plaza - Sterling, VA 20166 sip:rshockey(at)iptel.org sip:[EMAIL PROTECTED] ENUM +87810-13313-31331 PSTN Office +1 571.434.5651 PSTN Mobile: +1 703.593.2683, Fax: +1 815.333.1237 mailto:richard(at)shockey.us or mailto:richard.shockey(at)neustar.biz http://www.neustar.biz ; http://www.enum.org ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
Re: Why people by NATs
--On Monday, 22 November, 2004 08:33 -0800 Fred Baker [EMAIL PROTECTED] wrote: ... Yes, but be careful with that. What has happened at Linksys and others is that they have come up with a simple configuration that allows them to sell a pre-configured device to a client, advertise a few features that clients like, and sell them like hotcakes with little or no support costs. What the customer is buying is not, in most cases, uses private addressing to separate your IP address space from that of your ISP so that if you move you will not have to reconfigure things. That may be what Linksys etc is selling, but what the customer is buying is plug it in and it will work. Any configuration that gives the customer simplicity of implementation by a non-expert in the technology will meet their needs. Fred, while I agree completely with this, we all need to understand that it has another implication. If the customer is offered a snazzy new IPv6 device, using public address space, that fails to offer plug it in and it will work, then the customer is unlikely to buy it. The odds go down even further if the customer is expected to become a network expert, or even a junior apprentice amateur network expert, to configure the thing. And that situation is likely to exist, IMO, regardless of what real or imagined advantages come from IPv6 and/or public-accessible address space and/or NAT elimination. john ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
Re: Why people by NATs
At 12:35 PM 11/22/04 -0500, Eric A. Hall wrote: One potentially technical hurdle here is the way that the device discovers that a range/block of addresses is available to it. Some kind of DHCP sub-lease, or maybe a collection of options (is it a range of addresses or an actual subnet? how big is it, and does that include net/bcast addresses?),is going to be required. I think you're saying that the router/firewall/gateway thingie needs to have some sequence like: - initial boot or expiration of previous lease occurs - CPE router has or forms link-local association with upstream router (note that a non-link-local address on the upstream interface is optional) - CPE router sends DHCP request for configuration - upstream router replies with address of DHCP server, DNS Server, and a prefix with a lease. It also configures itself with a local route to that prefix via CPE router. - CPE router configures interior interface with said prefix and starts some combination of autoconfiguration and DHCP configuration of downstream hosts. - If Dynamic DNS is in use, some hosts may advise the DNS server of their new address. If there is a management contract (ISP knows about and does something with the CPE router), supplying the router's address upstream is one possible use of DDNS. Note that in the case that DDNS is in use and we are triggering off lease expiration, the process needs to take the concepts and issues of http://www.ietf.org/internet-drafts/draft-ietf-v6ops-renumbering-procedure-02.txt into account. I have added Ralph Droms to this. Ralph, your suggestion? So it would obviously be useful that Linksys et al make sure that the specs are there to help them continue providing the same kind of high-value low-management experience. This is the kind of cross-industry participation I'm talking about needing. I'll argue that this is pretty much what the IETF has always done. It comes down to someone who sees the need propose a solution and make sure the other folks who are likely to be interested buy into it. It is fundamental to what we do. ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
Re: Why people by NATs
At 01:05 PM 11/22/04 -0500, Richard Shockey wrote: Yes Fred I would _expect_ my ISP to sell me a /64 but at what price? It continues to amaze me that no one discussing the IP V6 adoption issues will focus attention on the obvious question ..what is it going to cost me? Is there any way the engineer can predict that or control it? What the architecture has made exceedingly clear is that the ISP can't expect to dole out /128 prefixes, and has no incentive to. It could state that it wants to only do address autoconfiguration on its interfaces, and it could watch its customers vote with their feet. ISPs aren't that stupid, I don't think. They understand what Linksys has done with their market. NAT's have been the inevitable answer to the poor pricing policy of IP numbering. Which comes down to a comment on the policy in use in handing out IPv4 addresses. We (collectively) exert very heavy backpressure on ISPs getting new address allocations, which they pass along to their customers in this form. Change that policy - and we are - for IPv6 prefixes, and you can plan on the ISPs following suit. ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
Re: Why people by NATs
At 01:13 PM 11/22/04 -0500, John C Klensin wrote: Fred, while I agree completely with this, we all need to understand that it has another implication. If the customer is offered a snazzy new IPv6 device, using public address space, that fails to offer plug it in and it will work, then the customer is unlikely to buy it. No argument. That, actually, is half of my point. The assertion I replied to was that the thing the customer bought was address isolation via private addressing. No, I assert, that isn't what he bough. He bought plug and play. Provide plug and play, and he will buy the new solution just as readily. Your assertion is the flip side of the inference. Fail to provide plug and play, and the customer will not buy it. Very true. ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
Re: Why people by NATs
Right. While I didn't want to continue this discussion on the IETF list, as I understand it this is precisely what prefix delegation was meant to be able to handle. Eliot Fred Baker wrote: At 12:35 PM 11/22/04 -0500, Eric A. Hall wrote: One potentially technical hurdle here is the way that the device discovers that a range/block of addresses is available to it. Some kind of DHCP sub-lease, or maybe a collection of options (is it a range of addresses or an actual subnet? how big is it, and does that include net/bcast addresses?),is going to be required. I think you're saying that the router/firewall/gateway thingie needs to have some sequence like: - initial boot or expiration of previous lease occurs - CPE router has or forms link-local association with upstream router (note that a non-link-local address on the upstream interface is optional) - CPE router sends DHCP request for configuration - upstream router replies with address of DHCP server, DNS Server, and a prefix with a lease. It also configures itself with a local route to that prefix via CPE router. - CPE router configures interior interface with said prefix and starts some combination of autoconfiguration and DHCP configuration of downstream hosts. - If Dynamic DNS is in use, some hosts may advise the DNS server of their new address. If there is a management contract (ISP knows about and does something with the CPE router), supplying the router's address upstream is one possible use of DDNS. Note that in the case that DDNS is in use and we are triggering off lease expiration, the process needs to take the concepts and issues of http://www.ietf.org/internet-drafts/draft-ietf-v6ops-renumbering-procedure-02.txt into account. I have added Ralph Droms to this. Ralph, your suggestion? So it would obviously be useful that Linksys et al make sure that the specs are there to help them continue providing the same kind of high-value low-management experience. This is the kind of cross-industry participation I'm talking about needing. I'll argue that this is pretty much what the IETF has always done. It comes down to someone who sees the need propose a solution and make sure the other folks who are likely to be interested buy into it. It is fundamental to what we do. ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
RE: Why people by NATs
Eric, I suspent that none of us on this list qualify as the nominal consumer. I do vehemently agree with your last paragraph. In some sense, you are saying that NAT is an intrinsic part of the nominal residential gateway (could be expanded for soho and small/medium business). As such, what is the nominal IPv6 based residential gateway, and its feature set? Perhaps the IETF needs to do for residential gateways what it did for routers in the old router requirements days. Regards, peterf ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
Re: Why people by NATs
At 01:44 PM 11/22/2004, Fred Baker wrote: At 01:05 PM 11/22/04 -0500, Richard Shockey wrote: Yes Fred I would _expect_ my ISP to sell me a /64 but at what price? It continues to amaze me that no one discussing the IP V6 adoption issues will focus attention on the obvious question ..what is it going to cost me? Is there any way the engineer can predict that or control it? Of course ..this is Economics 101 .. if you have a product you want to sell you look for its optimal price point based on a cost benefit analysis of the alternatives. http://cepa.newschool.edu/het/profiles/samuelson.htm Why are packet networks more efficient than circuit switched ones ? :-) I think the problem the Internet Engineering community has had is that we have not taken out to lunch some of our friends in Economic Theory who would help us understand the IPV6 adoption problem for what it is an economic not a technical issue. I've personally believed for some time the solution to V4 to V6 migration is economic. Maybe Charge more for V4 resources and less for V6 and the market may then decide .. hummm gee maybe I should switch. I dont know. However that requires that wholesale pricing policy by the RIR's be enforceable to downstream retailers ( ISP's) which it tricky to do ( but possible ) and a realization by retailers that they have an incentive to push the product (V6). The question then to retailers ( ISP's ) are why aren't you trying to sell V6? That begs the question What are the ISP's economic incentive to push V6 downstream? That is the question I've been trying to have answered for years. What the architecture has made exceedingly clear is that the ISP can't expect to dole out /128 prefixes, and has no incentive to. my point exactly Shockey's Law : Money is the answer, what is the question? It could state that it wants to only do address autoconfiguration on its interfaces, and it could watch its customers vote with their feet. ISPs aren't that stupid, I don't think. They understand what Linksys has done with their market. Linksys is the perfect example here ..produce a product at a optimal price point with fantastic distribution and is easy to use ( like duh Ipod ?? ) and the world will beat a path to your door. NAT's have been the inevitable answer to the poor pricing policy of IP numbering. Which comes down to a comment on the policy in use in handing out IPv4 addresses. We (collectively) exert very heavy backpressure on ISPs getting new address allocations, which they pass along to their customers in this form. Change that policy - and we are - for IPv6 prefixes, and you can plan on the ISPs following suit. But a change in policy without built in economic incentives will not work. Richard Shockey, Senior Manager, Strategic Technology Initiatives NeuStar Inc. 46000 Center Oak Plaza - Sterling, VA 20166 sip:rshockey(at)iptel.org sip:[EMAIL PROTECTED] ENUM +87810-13313-31331 PSTN Office +1 571.434.5651 PSTN Mobile: +1 703.593.2683, Fax: +1 815.333.1237 mailto:richard(at)shockey.us or mailto:richard.shockey(at)neustar.biz http://www.neustar.biz ; http://www.enum.org ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
Re: Why people by NATs
Fred Baker [EMAIL PROTECTED]: I submit that if your environment is at all like mine, you don't actually configure 192.168.whatever addresses on the equipment in your house. You run DHCP within the home and it assigns such. That being the case, you actually don't know or care what the addresses are on your equipment. You care that your SIP Proxy and etc know the relationships, and they derive them directly without your intervention. Actually, I do set up static addresses. I'd use DHCP, but if I did that I would not be able to refer to the machines on my local net by name. Until my DHCP client can update my DNS tables with name information on the fly, I'll keep doing doing it this way. Apple's zeroconf technology solves this problem, albeit in a slightly different way, but Linux doesn't deploy it yet. I don't think my situation is unique. -- a href=http://www.catb.org/~esr/;Eric S. Raymond/a ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
Re: Why people by NATs
Peter Ford [EMAIL PROTECTED]: I do vehemently agree with your last paragraph. In some sense, you are saying that NAT is an intrinsic part of the nominal residential gateway (could be expanded for soho and small/medium business). Indeed. I think this is true. Several people on this list have tried to tell me that I don't really want the IP address space on my local net to be decoupled from the server address. They are wrong. I want to be able to change ISPs by fixing *one* IP address in *one* place, and I want to control the mapping from global IP addresses to local ones. This desire has nothing to do with IPv4 vs. IPv6 and everything to do with wanting to be able to make only small, conservative changes in my network configuration rather than having to completely disrupt it. Once again, I don't think my situation is unique. I only have five machines on my net -- my desktop box, my wife's desktop box, my laptop by WiFi, an Apple PowerMac we watch streaming video on, and the mail/web server downstairs. For somebody administering a network of 100 machines, the hassle cost of IP renumbering would be twenty times larger. Given this, how could anyone wonder why NAT is popular? -- a href=http://www.catb.org/~esr/;Eric S. Raymond/a ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
Re: Why people by NATs
Eric S. Raymond writes: For somebody administering a network of 100 machines, the hassle cost of IP renumbering would be twenty times larger. Given this, how could anyone wonder why NAT is popular? There's another feature of NAT that is desirable that has not yet been mentioned, and which at least some customers may be cognizant of: the fact that NAT is a pretty restrictive firewall. I'm as big a fan of the end-to-end principle as anybody, but until the ends are trustworthy, we can't get there. Whether by IPv6 or IPv4, less-than-fanatically-administered Windows and Unix systems simply cannot be directly connected to the Internet. :( -- Chris Palmer Staff Technologist, Electronic Frontier Foundation 415 436 9333 x124 (desk), 415 305 5842 (cell) 81C0 E11D CE73 4390 B6C7 3415 B286 CD8F 68E4 09CD pgpuu5GFyQM9z.pgp Description: PGP signature ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
Re: Why people by NATs
Eric, On Mon, 22 Nov 2004, Eric S. Raymond wrote: Fred Baker [EMAIL PROTECTED]: I submit that if your environment is at all like mine, you don't actually configure 192.168.whatever addresses on the equipment in your house. You run DHCP within the home and it assigns such. That being the case, you actually don't know or care what the addresses are on your equipment. You care that your SIP Proxy and etc know the relationships, and they derive them directly without your intervention. Actually, I do set up static addresses. I'd use DHCP, but if I did that I would not be able to refer to the machines on my local net by name. Until my DHCP client can update my DNS tables with name information on the fly, I'll keep doing doing it this way. Apple's zeroconf technology solves this problem, albeit in a slightly different way, but Linux doesn't deploy it yet. Please see http://sleekfreak.ath.cx:81/books/dnsupdate. This allows a host on a dynamic address to be its own primary authoritative dns server. With slight adjustments, and a client/server architecture, which I have implemented with similar code in the past, it could easily do what you need. Scott I don't think my situation is unique. -- a href=http://www.catb.org/~esr/;Eric S. Raymond/a ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf sleekfreak pirate broadcast http://sleekfreak.ath.cx:81/ ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
Re: Why people by NATs
Chris Palmer [EMAIL PROTECTED]: There's another feature of NAT that is desirable that has not yet been mentioned, and which at least some customers may be cognizant of: the fact that NAT is a pretty restrictive firewall. I'm as big a fan of the end-to-end principle as anybody, but until the ends are trustworthy, we can't get there. Whether by IPv6 or IPv4, less-than-fanatically-administered Windows and Unix systems simply cannot be directly connected to the Internet. I wouldn't go that far. I wouldn't describe myself as a fanatical admin; lazy and barely competent would be closer to the mark :-). Despite this, I've never had a breakin in more than a decade. I'm comfortable connecting a Linux system directly to the Internet, as long as the internal software firewall is on, It's nice to have my firewalling done by a box that is too stupid to be cracked, but what I need from the Linksys is really the address multiplexing. -- a href=http://www.catb.org/~esr/;Eric S. Raymond/a pgpogUUtEY9no.pgp Description: PGP signature ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
Re: Why people by NATs
Eric, this is a sine qua non requirement. With plug, play, testing and document of every appliance but also of every competing network connection I can grab (wi-fi, ISPs, cable, ISDN, satellite, etc. ). So when I a move around nothing is changed, and I know to use the my environment in hotels with the same low cost e-control panel. Linksys is good but their panel is not that good. Change ISP and look at the time you waste in calling their support to know the parameters. There should be a default address at each ISP were to load the current configuration. This is not only true for home or business, but for cars, ships, mobile, etc. This must be protected by insurances : what if a disabled is hurt because an address was ill entered (as you know IPv6 addresses are very simple to enter and memorize), what if my hospital cannot reach an ill person control station home, what if my car ... what if somebody got injured because he used a default address on his own control pad and a unexpected appliance reacted, how can I set-up kid protections programs blocking some appliances, or dangerous equipments, etc. This will call for rules and strict address formatting. How could we have protection services checking our home situation every minute and authorized to call the Police or the firemen if there are no address format standard, warranted by law ? I have difficulties enough in finding a plumber, I do not want to have to find an IPv6 specialist every time I buy a new PC or the IETF writes a new RFC. Let be reasonable: if IPv6 is to work we must not spend more than 5 minutes a year caring about our 1000 addresses or more. And do not tell me that domain names will help - most probably all of these addresses will have awfully long manufacturer formed named to call and maintain them for you. ... in various languages. This is not to be a joke, this must work, be documented, tested, controlled, paid, sure, secure, protected, updated, compatible, etc. etc. with lawyers suing manufacturers for millions if a 50 euro box worked wrong and created harm. So in addition you want logger, paper copy, phone alarms, etc. which will ring at the proper police station, not on the other side of the world, you want no spam and immediate call back for micro payment authentication. And all that for a corebox purchased at the super-market. It calls for some thinking outside of the IETF. The IETF carried the small part of IPv6 deployment and delays the big part in keeping discussing it. Harald is absolutely right: In IPv6, I see our job as standardizers to make sure the thing we have defined is well-defined enough to let it work, and then get the hell out of the way. At this time, it's the users and the network builders who will decide whether we've succeeded or failed. Not us standardizers. We can do minor maintenance and hey, we didn't mean it that way, but the best we can do for IPv6 is to point out all the stuff that is done, stable, and is NOT going to change any time soon. jfc At 21:08 22/11/2004, Eric S. Raymond wrote: Peter Ford [EMAIL PROTECTED]: I do vehemently agree with your last paragraph. In some sense, you are saying that NAT is an intrinsic part of the nominal residential gateway (could be expanded for soho and small/medium business). Indeed. I think this is true. Several people on this list have tried to tell me that I don't really want the IP address space on my local net to be decoupled from the server address. They are wrong. I want to be able to change ISPs by fixing *one* IP address in *one* place, and I want to control the mapping from global IP addresses to local ones. This desire has nothing to do with IPv4 vs. IPv6 and everything to do with wanting to be able to make only small, conservative changes in my network configuration rather than having to completely disrupt it. Once again, I don't think my situation is unique. I only have five machines on my net -- my desktop box, my wife's desktop box, my laptop by WiFi, an Apple PowerMac we watch streaming video on, and the mail/web server downstairs. For somebody administering a network of 100 machines, the hassle cost of IP renumbering would be twenty times larger. Given this, how could anyone wonder why NAT is popular? -- a href=http://www.catb.org/~esr/;Eric S. Raymond/a ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
Re: Why people by NATs
Eric - Fred has the model right. The CPE router (actually a gateway with router/firewall/DHCP/DNS services) uses DHCPv6 PD (prefix delegation; RFC 3633) to obtain a prefix (either a /64 or shorter) and then assigns /64 prefixes to any downstream links. The devices in the home use either autonomous address selection or DHCPv6 for address assignment and DHCPv6 for other configuration information. Those devices use DDNS - either in the gateway or provided by the ISP - to announce any publicly accessible addresses. The net effect is that a customer can plug in a gateway and then devices on the downstream links from the gateway without any hands-on configuration by either the customer or the ISP. There seems to be pretty broad consensus among ISPs that this model describes the initial version of IPv6 service. Check out draft-vandevelde-v6ops-nap-00.txt for more thoughts about why NATs are in use today and how IPv6 provides the same functions. As Fred says, the IETF continues to identify specific needs - in this case, the need for minimal overhead to both the customer and the ISP for IPv6 service - get buy-in from the interested parties and develop solutions and standards for protocols that can meet those needs, such as the RFCs and Internet Drafts we've referred to in this thread... - Ralph At 10:29 AM 11/22/2004 -0800, Fred Baker wrote: At 12:35 PM 11/22/04 -0500, Eric A. Hall wrote: One potentially technical hurdle here is the way that the device discovers that a range/block of addresses is available to it. Some kind of DHCP sub-lease, or maybe a collection of options (is it a range of addresses or an actual subnet? how big is it, and does that include net/bcast addresses?),is going to be required. I think you're saying that the router/firewall/gateway thingie needs to have some sequence like: - initial boot or expiration of previous lease occurs - CPE router has or forms link-local association with upstream router (note that a non-link-local address on the upstream interface is optional) - CPE router sends DHCP request for configuration - upstream router replies with address of DHCP server, DNS Server, and a prefix with a lease. It also configures itself with a local route to that prefix via CPE router. - CPE router configures interior interface with said prefix and starts some combination of autoconfiguration and DHCP configuration of downstream hosts. - If Dynamic DNS is in use, some hosts may advise the DNS server of their new address. If there is a management contract (ISP knows about and does something with the CPE router), supplying the router's address upstream is one possible use of DDNS. Note that in the case that DDNS is in use and we are triggering off lease expiration, the process needs to take the concepts and issues of http://www.ietf.org/internet-drafts/draft-ietf-v6ops-renumbering-procedure-02.txt into account. I have added Ralph Droms to this. Ralph, your suggestion? So it would obviously be useful that Linksys et al make sure that the specs are there to help them continue providing the same kind of high-value low-management experience. This is the kind of cross-industry participation I'm talking about needing. I'll argue that this is pretty much what the IETF has always done. It comes down to someone who sees the need propose a solution and make sure the other folks who are likely to be interested buy into it. It is fundamental to what we do. ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
Re: Why people by NATs
Eric S. Raymond wrote: Indeed. I think this is true. Several people on this list have tried to tell me that I don't really want the IP address space on my local net to be decoupled from the server address. They are wrong. I want to be able to change ISPs by fixing *one* IP address in *one* place, and I want to control the mapping from global IP addresses to local ones. This desire has nothing to do with IPv4 vs. IPv6 and everything to do with wanting to be able to make only small, conservative changes in my network configuration rather than having to completely disrupt it. You wouldn't care about touch points if even a large number were reliable and secure, and that is the key. At the consumer level I think it's VERY important that most people not care about the IP address they are assigned. In fact it's important that they not have to know anything about what they're addressed! And you're right: it doesn't matter whether it's v4 or v6. So. Where are the gaps? Eliot ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
Re: Why people by NATs
On 11/22/2004 4:04 PM, Ralph Droms wrote: DHCPv6 PD (prefix delegation; RFC 3633) to obtain a prefix Yeah, that's what I was thinking about. So now we just need implementors to provide it and for service providers to offer it before declaring the problem as solved. -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/ ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
Re: Why people by NATs
Eric - interoperability of several (~6) independent implementations was demonstrated at TAHI '03 and Connectathon '03. The consensus among ISPs seems to be to use PD (although the jury is still out until IPv6 service is more widely available). - Ralph At 04:44 PM 11/22/2004 -0500, Eric A. Hall wrote: On 11/22/2004 4:04 PM, Ralph Droms wrote: DHCPv6 PD (prefix delegation; RFC 3633) to obtain a prefix Yeah, that's what I was thinking about. So now we just need implementors to provide it and for service providers to offer it before declaring the problem as solved. -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/ ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
Re: Why people by NATs
At 12:10 PM 11/22/04 -0800, Chris Palmer wrote: There's another feature of NAT that is desirable that has not yet been mentioned, and which at least some customers may be cognizant of: the fact that NAT is a pretty restrictive firewall. would that it were true. In fact, it is pretty easy to breech. All one has to do is ddos with a the right port prefix, observe a response of any kind, and you can ddos right through it. An actual stateful firewall is a good thing. NAT mostly has the effect of deluding the person behind it into thinking they have a security solution. Screen doors are a good thing. They should be confused neither with storm doors nor effective insect inhibitions in the home... ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
RE: Why people by NATs
Eric S. Raymond wrote: ... To sum up, NAT gives me two features: 1. Multiple machines on the single-address allocation the ISP gives me. 2. Decoupling of mt local network addresses from the ISP assignment. This is a very restricted subset of: http://www.ietf.org/internet-drafts/draft-vandevelde-v6ops-nap-00.txt Please send comments if you think something is wrong or missing. Market perceived benefits of IPv4 NAT Function IPv4 IPv6 +--+---+---+ | Simple Gateway | DHCP - single| DHCP-PD - arbitrary | | | address upstream | length customer | | | DHCP - limited | prefix upstream | | | number of individual | SLAAC via RA | | | devices downstream | downstream | +--|---|---+ | Simple Security | Filtering side | Explicit Context | | | effect due to lack | Based Access Control | | | of translation state | (Reflexive ACL) | +--|---|---+ | Local usage | NAT state table | Address uniqueness | | tracking| | | +--|---|---+ | End system | NAT transforms | Temporary use| | privacy | device ID bits in| privacy addresses| | | the address | | +--|---|---+ | Topology hiding | NAT transforms | Untraceable addresses| | | subnet bits in the | using IGP host routes| | | address | /or MIPv6 tunnels for| | | | stationary systems | +--|---|---+ | Addressing | RFC 1918 | RFC 3177 ULA | | Autonomy| | | +--|---|---+ | Global Address | RFC 1918 | 340,282,366,920,938, | | Pool| | 463,463,374,607,431, | | Conservation| | 768,211,456 | | | | (3.4*10^38) addresses| +--|---|---+ | Renumbering and | Address translation | Preferred lifetime | | Multi-homing| at border| per prefix Multiple| | | | addresses per| | | | interface| +--+---+---+ Chris Palmer wrote: There's another feature of NAT that is desirable that has not yet been mentioned, and which at least some customers may be cognizant of: the fact that NAT is a pretty restrictive firewall. NAT != Firewall - despite all the marketing to the contrary, the artifact of lack of state is not a firewall. Marketing needs to be retrained that an IPv6 context based firewall will provide more comprehensive security that doesn't mangle headers in the process. Assuming this is implemented in the 'plug-n-play' model as Fred suggests, sales could easily surpass nat. Richard Shockey wrote: I think the problem the Internet Engineering community has had is that we have not taken out to lunch some of our friends in Economic Theory who would help us understand the IPV6 adoption problem for what it is an economic not a technical issue. Yes deployment will be gated by economic factors. The problem the IETF and the transit network operator community keep overlooking is that the economic costs are not down in the plumbing. The costs are in application development and end system/lan administration. Once the application development community recognizes that it is cheaper for them to build over IPv6 than to retain small armies to develop nat workaround hacks or deal with the additional support costs from that complexity, and that through tunneling they don't have to wait for lethargic operators to move first, there will be plenty of economic motivation for deployment. The hard part is getting the word out, because the IETF still isn't serious about making IPv6 the default protocol for all work, and the operations community continues to spread FUD about the useful lifetime of IPv4. As several people have pointed out on this list recently, people can't get the space they want today,
Re: Why people by NATs
Technically true, of course. However, most SOHO sites look for a zero-order level of protection against the random worm trying to connect to an open TCP port on the average windows machine (especially one set up for file/print sharing on the SOHO network), and NAT does that just fine. IPv6 marketing has to take this into account, with a deliberate here is why the IPv6 gateway provides the same default protection as NAT... FAQ entry. On Nov 22, 2004, at 18:00, Fred Baker wrote: would that it were true. In fact, it is pretty easy to breech. All one has to do is ddos with a the right port prefix, observe a response of any kind, and you can ddos right through it. An actual stateful firewall is a good thing. NAT mostly has the effect of deluding the person behind it into thinking they have a security solution. Screen doors are a good thing. They should be confused neither with storm doors nor effective insect inhibitions in the home... Hans Kruse, Associate Professor J. Warren McClure School of Communication Systems Management Adjunct Associate Professor of Electrical Engineering and Computer Science 292 Lindley Hall, Ohio University, Athens, OH, 45701 740-593-4891 voice, 740-593-4889 fax ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
RE: Why people by NATs
At Richard Shockey wrote: I think the problem the Internet Engineering community has had is that we have not taken out to lunch some of our friends in Economic Theory who would help us understand the IPV6 adoption problem for what it is an economic not a technical issue. Yes deployment will be gated by economic factors. The problem the IETF and the transit network operator community keep overlooking is that the economic costs are not down in the plumbing. The costs are in application development and end system/lan administration. This is an excellent point that focuses on the real issue of economics. If these inhibitors can be more specifically quantified I'd feel a lot more hopeful that one could create a pricing model that drives demand. So you would say the transit operators will not SELL the product since the customer ( end user and or enterprise) cannot support it or they cannot afford the upgrades to existing edge infrastructure (Cisco, Juniper, usual suspects, MS etal ) necessary to support the transition? Part of the problem of course is the false perception .. perpuated by countless commentators that NAT's are a better security measure than firewalls. I still think V4 to V6 pricing for numbering will and should play a role. Once the application development community recognizes that it is cheaper for them to build over IPv6 than to retain small armies to develop nat workaround hacks or deal with the additional support costs from that complexity, and that through tunneling they don't have to wait for lethargic operators to move first, there will be plenty of economic motivation for deployment. Well the good news is that SIP principally among other new and emerging realtime applications driven by explosive residential broadband deployment is forcing the issue. The frog is in the pot and the water temperature is rising. Given the general state of denial it is likely that the water will boil before the dead frog wakes up to notice. Well if the frog is V4 let it cook ... Tony ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf Richard Shockey, Senior Manager, Strategic Technology Initiatives NeuStar Inc. 46000 Center Oak Plaza - Sterling, VA 20166 sip:rshockey(at)iptel.org sip:[EMAIL PROTECTED] ENUM +87810-13313-31331 PSTN Office +1 571.434.5651 PSTN Mobile: +1 703.593.2683, Fax: +1 815.333.1237 mailto:richard(at)shockey.us or mailto:richard.shockey(at)neustar.biz http://www.neustar.biz ; http://www.enum.org ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
Re: Why people by NATs
At 2:49 PM -0500 11/22/04, Eric S. Raymond wrote: Actually, I do set up static addresses. I'd use DHCP, but if I did that I would not be able to refer to the machines on my local net by name. Until my DHCP client can update my DNS tables with name information on the fly, I'll keep doing doing it this way. Apple's zeroconf technology solves this problem, albeit in a slightly different way, but Linux doesn't deploy it yet. I don't think my situation is unique. -- It isn't...I do exactly the same thing since Rendezvous(Apple's zeroconf) doesn't quite work across our mix of resources... -- _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ You can't depend on your judgement when your imagination is out of focus. -- Mark Twain. _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ OLTECOAri Ollikainen P.O. BOX 20088Networking Architecture Technology Stanford, CA [EMAIL PROTECTED] 94309-0088415.517.3519 ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
RE: Why people by NATs
Title: RE: Why people by NATs Hi Tony, Yourenclosed feature comparison list is a fine list. However, the sooner the residential gatewayfeature setis expanded to cover support of tunnelingIPv6 running on top IPv4 as a bearer, the faster you will see IPv6 deployed. Why build in a dependancyon the carriers moving to IPv6 when you don't have to. Here is the SAT test question related to IPv6 transition: Q: IPv6 is to IPv4 as a) IPv4 to X.25 b) IPv4 to ISDN c) IPv4 to ATM d) all of the above regards, peterf ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf
RE: Why people by NATs
On Mon, 22 Nov 2004, Peter Ford wrote: Hi Tony, Your enclosed feature comparison list is a fine list. However, the sooner the residential gateway feature set is expanded to cover support of tunneling IPv6 running on top IPv4 as a bearer, the faster you will see IPv6 deployed. Why build in a dependancy on the carriers moving to IPv6 when you don't have to. Ok. I'll bite. Who do you propose to tunnel to by default in all these embedded devices? Do you give users a choice of tunnel brokers? Does it work out of the box? Do you give them one address, or how large an allocation, or what? Scott Here is the SAT test question related to IPv6 transition: Q: IPv6 is to IPv4 as a) IPv4 to X.25 b) IPv4 to ISDN c) IPv4 to ATM d) all of the above regards, peterf sleekfreak pirate broadcast http://sleekfreak.ath.cx:81/ ___ Ietf mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ietf