nanog mailing list archives
Re: quietly....
From: Matthew Palmer <mpalmer () hezmatt org>
Date: Thu, 3 Feb 2011 16:13:11 +1100
On Wed, Feb 02, 2011 at 11:45:49PM -0500, Jay Ashworth wrote:
----- Original Message -----From: "Blake Dunlap" <ikiris () gmail com>On Wed, Feb 2, 2011 at 22:34, Jay Ashworth <jra () baylink com> wrote:I won't run an edge-network that *isn't* NATted; my internal machines have no business having publicly routable addresses. No one has *ever* provided me with a serviceable explanation as to why that's an invalid view.Quite simply, its called Tragedy of the Commons. Everyone else has to work harder to provide you services if you are using something which breaks end to end connectivity, which costs everyone else money. The protocol designers are making a stand against this for the good of the "commons".You'll have to document "everyone has to work harder to provide me services"; this is not my first rodeo, and TTBOMK, it's *transparent* to the other end of any connection out of my edge network that it's NATted at my end. As for incoming connections, it's transparent to them as well -- and which ones are valid targets for such connections *is a policy decision of mine*, not subject to external opinion.
You're thinking too small -- it's not that individual TCP connections have problems, it's that the ability to solve a given problem using connections and UDP packets is badly constrained by a lack of end-to-end connectivity. The proof is fairly obvious in the number of hacks that have been deployed to try and get around NAT's inadequacies: Skype supernodes, STUN, all the various conntrack helpers in netfilters, etc etc etc. Now, if you decide that none of those applications are important to you, sure, you can firewall them off as appropriate. But the pervasive deployment of NAT means that the set of problems that can be solved is constrained, and of the problems that *can* be solved, the solutions tend to be more complicated, harder to implement, understand, and so on, which has a cost to the community (higher prices, less solved problems, whatever your desired metric may be). I think that's what Blake is getting at with his TotC. Of course, I'm a tiny bit of a skeptic, as I really can't see how a stateful firewall can know which other connections / packets are related without a lot of the same dodgy shenanigans that goes on now, but at least if you've gotten rid of the 1-to-N address mangling a fundamental stumbling block is removed and people can get on and solve the remaining (tractable) problems. - Matt
Current thread:
- Re: quietly...., (continued)
- Re: quietly.... Jack Bates (Feb 01)
- Re: quietly.... Valdis . Kletnieks (Feb 01)
- Re: quietly.... Owen DeLong (Feb 01)
- Re: quietly.... David Barak (Feb 01)
- Re: quietly.... Owen DeLong (Feb 01)
- Re: quietly.... Jay Ashworth (Feb 02)
- Re: quietly.... Blake Dunlap (Feb 02)
- Re: quietly.... Jay Ashworth (Feb 02)
- Re: quietly.... Mark Andrews (Feb 02)
- Re: quietly.... Jay Ashworth (Feb 02)
- Re: quietly.... Matthew Palmer (Feb 02)
- Re: quietly.... Jay Ashworth (Feb 02)
- Re: quietly.... Matthew Palmer (Feb 02)
- Re: quietly.... Owen DeLong (Feb 02)
- Re: quietly.... Jack Bates (Feb 03)
- Re: quietly.... Owen DeLong (Feb 02)
- Re: quietly.... Jay Ashworth (Feb 03)
- Re: quietly.... Jimmy Hess (Feb 02)
- Re: quietly.... Jay Ashworth (Feb 02)
- Re: quietly.... Jimmy Hess (Feb 02)
- Re: quietly.... Nicholas Suan (Feb 02)