nanog mailing list archives

Re: quietly....

From: Jay Ashworth <jra () baylink com>
Date: Thu, 3 Feb 2011 00:23:54 -0500 (EST)

----- Original Message -----

From: "Matthew Palmer" <mpalmer () hezmatt org>
You're thinking too small -- it's not that individual TCP connections
have
problems, it's that the ability to solve a given problem using
connections
and UDP packets is badly constrained by a lack of end-to-end
connectivity.
The proof is fairly obvious in the number of hacks that have been
deployed
to try and get around NAT's inadequacies: Skype supernodes, STUN, all
the
various conntrack helpers in netfilters, etc etc etc.


At last, some meat.  :-)

Now, if you decide that none of those applications are important to
you,
sure, you can firewall them off as appropriate. But the pervasive
deployment of NAT means that the set of problems that can be solved is
constrained, and of the problems that *can* be solved, the solutions
tend to
be more complicated, harder to implement, understand, and so on, which
has a
cost to the community (higher prices, less solved problems, whatever
your
desired metric may be). I think that's what Blake is getting at with
his TotC.


Perhaps.  I'm not sure that the collective importance of that difficulty
outweighs the collective danger of making all nodes of the Internet *as it
presently exists* publicly routable.

I don't know whether it's occurred to people that if you make every node
on the present day Internet routable, then *you've made every node on the
present day Internet routable*; the number of machines subject to 
more or less direct attack goes up (by a jackleg estimate I've just now
made up) by between 3 and 5 orders of magnitude.

I make jackleg estimates all the time; I don't believe I've ever had to 
say "5 orders of magnitude".

Of course, I'm a tiny bit of a skeptic, as I really can't see how a
stateful
firewall can know which other connections / packets are related
without a
lot of the same dodgy shenanigans that goes on now, but at least if
you've
gotten rid of the 1-to-N address mangling a fundamental stumbling
block is
removed and people can get on and solve the remaining (tractable)
problems.


That is problematic as well, isn't it?

It speaks directly to the attack-surface comment I just made in another reply.

I'm going to bed now, which will reduce the number of replies the "aw crap,
is he really going to beat this dead horse again?" crowd will have to
skip.  :-)

Cheers,
-- jra

Current thread:

Re: quietly...., (continued)
- - - Re: quietly.... Valdis . Kletnieks (Feb 01)
    - Re: quietly.... Owen DeLong (Feb 01)
    - Re: quietly.... David Barak (Feb 01)
    - Re: quietly.... Owen DeLong (Feb 01)
    - Re: quietly.... Jay Ashworth (Feb 02)
    - Re: quietly.... Blake Dunlap (Feb 02)
    - Re: quietly.... Jay Ashworth (Feb 02)
    - Re: quietly.... Mark Andrews (Feb 02)
    - Re: quietly.... Jay Ashworth (Feb 02)
    - Re: quietly.... Matthew Palmer (Feb 02)
    - Re: quietly.... Jay Ashworth (Feb 02)
    - Re: quietly.... Matthew Palmer (Feb 02)
    - Re: quietly.... Owen DeLong (Feb 02)
    - Re: quietly.... Jack Bates (Feb 03)
    - Re: quietly.... Owen DeLong (Feb 02)
    - Re: quietly.... Jay Ashworth (Feb 03)
    - Re: quietly.... Jimmy Hess (Feb 02)
    - Re: quietly.... Jay Ashworth (Feb 02)
    - Re: quietly.... Jimmy Hess (Feb 02)
    - Re: quietly.... Nicholas Suan (Feb 02)
    - Re: quietly.... Nicholas Suan (Feb 02)

(Thread continues...)