RE: Free NAT

["Brock, Todd A" <TB120060 () exchange DAYTONOH NCR com>]

Robert,
I think you are touching on something that I have suspected for some time
now.  Specifically that it is not a long term workable solution that
requires every single "host" have it's own globally unique IP address.
In the not to distant future our breaker panels, security systems, air
conditioners, toasters, etc. (ad vomiteum) will, all and every one, be
"network accessible".  I have thought for a while that  a scheme that
requires every single item that might need network connectivity to have a
unique global address is and will continue to be unworkable.  This is not to
say that NAT is a perfect solution, but rather that some form of
"masquerading" what is behind your access point to the world is the only
long term workable solution.

Not to mention the whole "portability" issue that causes such problems when
trying to switch providers, that is confounded by this type of addressing
situation.

I don't know, maybe I'm wrong...

Todd



> -----Original Message-----
> From: Robert Graham [SMTP:robert_david_graham () yahoo com]
> Sent: Wednesday, September 08, 1999 9:55 PM
> To:   Carl Brewer; firewall-wizards () nfr net
> Subject:      Re: Free NAT
>
> Ooh, now you've done it, triggering my pet-peeve. Time for you to suffer:
>
> <counterrant>
> While I don't particularly like NATs, most the disadvantages listed in
> http://www.ietf.org/internet-drafts/draft-iab-nat-implications-04.txt I
> would
> describe as advantages, starting with "NATs break the flexible End-to-End
> model
> of the Internet".
>
> I remember fondly an IETF meeting back in the early 1990s where the dire
> fate
> of the Internet address space depletion was discussed. This was the same
> meeting that SNMPv2 was introduced. I say "fondly" because I was really
> amused
> by the whole thing, namely that engineers really couldn't see the forest
> for
> the trees.
>
> In SNMPv2, authentication required a fixed network-layer address in the
> agent.
> SNMPv2 was designed to include AppleTalk, which refuses to give fixed
> network-layer addresses to end-nodes (it enforces the use of something
> similar
> to DHCP). QED: SNMPv2 only works on AppleTalk in theory, not practice (and
> it
> failed on TCP/IP in practice too, but that's a different story). 
>
> Likewise, the discussion of address-space depletion assumed that we never
> be
> able to renumber IP addresses. One of the reasons was that too many
> protocols
> (like SNMPv2) relied too heavily on fixed IP address, and that it would be
> impossible to reassign all existing addresses.
>
> The thing is, engineers get a thought into their head and assume that this
> is
> the way the world works. In that case, it was that every device had to
> have a
> fixed, unchanging, manually set IP address. Any proposed solutions that
> broke
> that rule were quickly discarded for much the same reason that engineers
> hate
> NAT/proxies today: it breaks people's fundamental assumptions of how the
> net
> should work.
>
> However, the concept of a fixed IP address WAS broken. For example, most
> websites use "non-portable" IP addresses, and in fact change their IP
> address
> rather regularly. DHCP, private addresses, and even NAT have likewise
> altered
> the model. The problem is not that NAT breaks authentication schemes based
> on
> IP addresses, the problem is that authentication schemes based themselves
> on IP
> addresses in the first place.
>
> Similarly, end-nodes have no real need to be "raw" on the Internet: they
> really
> should be behind a NAT/proxy/firewall. Anybody that has put BlackICE
> Defender
> (the personal intrusion detection product from my company) on their
> cable-modem
> @Home sees that they get scanned by hackers 10 times per day (Trojan
> probes,
> IMAP probes, web-server /cgi-bin scans, etc.)
>
> There is a similar document (I don't have the link off hand) that
> criticizes
> the aweful new trend of using HTTP as the "transport" for application
> (example:
> it breaks the ability of firewalls to filter them). Likewise, this
> document is
> only valid if you stick to the "old-school" of thought. In particular, the
> old-school of firewalls filtering by ports has already become obsolete.
>
> IPv6 is a great solution for the old-school, but merely a good solution
> for the
> new-school. The "network address" of "http://www.example.com/foo/bar"; has
> long
> ago supplanted addresses like 192.0.2.154, and IPv6 won't substantially
> change
> that fact.
> </counterrant>
>
> Rob.
>
> --- Carl Brewer <carl () bl echidna id au> wrote:
> > I'm not coming down on Robert here!
> >
> > <rant>
> > It's a shame that M$ are providing NAT, which even they know
> > is a bad technology (it was a M$ employee that wrote the IETF
> > case against NAT), and not IPv6.  Please don't lose focus!  NAT
> > is a short-term ugly broken hack, push your vendor(s) for IPv6
> > support!
> >
> > http://www.ietf.org/internet-drafts/draft-iab-nat-implications-04.txt
> > http://www.ietf.org/internet-drafts-ietf-iab-case-for-ipv6-04.txt
> >
> > If you're using, or worse, planning to use, NAT and you haven't 
> > read the above two documents, read them :)
> > </rant>
> >
> > Carl
>
>
> ===
> Robert Graham
> "Anxiously awaiting the millenium so I can start programming
> dates with 2-digits again."
> __________________________________________________
> Do You Yahoo!?
> Bid and sell for free at http://auctions.yahoo.com