Replies to John Walker, NATs, and lights going out on Internet

[Declan McCullagh <declan () well com>]

-------- Original Message --------
Subject: Re: [Politech] John Walker on NAT and "lights going out across 
the Internet"
Date: Tue, 23 Mar 2004 00:47:28 +0100 (CET)
From: Thomas Shaddack <shaddack () ns arachne cz>
To: Declan McCullagh <declan () well com>
References: <405F2A71.7060102 () well com>


The issue is serious, but not as hot as it may seem. There are powerful
counter-forces in the game.

First, not all the customers are know-nothing sheeps, and many of the
others insist on using features that don't play well with NAT, eg. various
P2P telephony products or - more often - multiplayer games. Both these
subgroups drive demand for non-NAT connection, and hopefully educate
other potential customers.

Then there is the pending IPv6 roll-out. Japan and China, with their IPv4
address space lack, drive this; once they succeed, other countries will
follow; there are some IPv6 efforts in Europe (don't ask me for details).

Even without that, the very architecture of the world is fundamentally
P2P; people know each other, are friends or business partners. If both
sides of a want-to-make phone call are locked behind a NAT, they need a
third party to act as a packet reflector. If at least one of them has a
friend who operates a suitable server, their day is saved. With a suitable
micropayment architecture, providers of such packet mirrors could become a
cozy niche market. A suitable protocol for discovery of the best packet
mirror with least line latency and least load would have to be developed,
but that is something far within the existing technological limits. VoIP
presents special challenge because of its sensitivity to latencies, but
all kinds of other transfers could be done that way as well. Or, instead
of micropayments, some ISPs could offer a subscription service for a
connection negotiation service; $5 for gigabyte is something many people
would be willing to pay, while keeping the service profitable, as it can
be located on cheap fat pipe with a single IP, if a suitable protocol
would be designed.

NAT is a threat to the current paradigm of the Net. However, the
individual-as-publisher role isn't necessarily endangered. Though some
creativity and forethought on the side of the developers is likely to be
required.

The basic rule is to never lose hope. There is always a solution.






-------- Original Message --------
Subject: Re: [Politech] John Walker on NAT and "lights going out across 
the Internet"
Date: Mon, 22 Mar 2004 13:00:57 -0800
From: Brad Templeton <btm () templetons com>
Organization: http://www.templetons.com/brad
To: Declan McCullagh <declan () well com>
CC: politech () politechbot com
References: <405F2A71.7060102 () well com>


While agreeing with John on the evils of NAT, there is, to use
a delicious pun, light at the end of the tunnel.

I have real optimism for the deployment of IPv6, thanks to a
decision by Microsoft to embrace it.  They have put not just
v6 support into XP, but also support for automatic 6 over 4 tunnels,
allowing disconnected islands of IPv6 to communicate.

More is needed, of course.  The NAT vendors should put in support
for v6 and the tunnels (though the ones MS is using don't need
that support directly from most NATs).   And the ISPs should
support it -- when I asked my own small ISP for v6, he said I
was the first to ask.

(I wonder if with some ISPs the fact that they get to charge
monthly rental for static v4 addresses encourages them to delay?)

In addition, we're getting much better at NAT penetration for
UDP.  In general, it can be done for 90% of users behind typical
household NATs, though a central "introduction" server, on the
real internet, is needed.

Skype, which many of you has seen, does a very seamless job of
NAT penetration, presumably relying on unknowing P2P proxies for
those 10% of users behind symmetric NATs.

Microsoft fortunately (in this case) has the power to pressure
NAT vendors, router vendors and ISPs to support what it wants
supported.





-------- Original Message --------
Subject: Re: [Politech] John Walker on NAT and "lights going out across 
the Internet"
Date: Mon, 22 Mar 2004 19:43:45 -0800
From: mournian () sandiego edu
To: Declan McCullagh <declan () well com>
References: <405F2A71.7060102 () well com>

In other words, That's the Night the Lights went out in Georgia. The Big 
Boys
are building the walls, and closing the gates. No more freestyle on the
Internet.

Tony





-------- Original Message --------
Subject: RE: [Politech] John Walker on NAT and "lights going out across 
theInternet"
Date: Mon, 22 Mar 2004 20:34:29 -0800
From: Ali Farshchian <ali () circleid com>
To: Declan McCullagh <declan () well com>

Some related CircleID posts and discussions on John Walker's...

- "Lights Going Out on the Internet? Not Just Yet"
http://www.circleid.com/article/453_0_1_0_C/

"In his article titled, "End of Life Announcement", John Walker (author of
the Speak Freely application) makes a few arguments about Network Address
Translation (NAT) that are simply not true..."

There has been quite a number of interesting discussions on the topic of
Network Address Translation (NAT) on CircleID which may also be of interest
to Politech readers:

- "IP or NAT IP: Mostly IP"
http://www.circleid.com/article/494_0_1_0_C/

- "Why NAT Isn't As Bad As You Thought"
http://www.circleid.com/article/447_0_1_0_C/

- "NAT: Just Say No"
http://www.circleid.com/article/355_0_1_0_C/



        

-------- Original Message --------
Subject: Re: [Politech] John Walker on NAT and 'lights going out across 
the Internet'
Date: Mon, 22 Mar 2004 13:13:40 -0800 (PST)
From: Barclay McInnes <barc () netdud com>
To: <declan () well com>
References: <405F2A71.7060102 () well com>

Hi Declan;
     Normally I'd let this pass, but Mr. Walker is either really thick
headed (which I doubt very much considering his background and the
work he's done) or is being deliberately disingenious/misleading.


>      A user behind a NAT box is no longer a peer to other sites on the
> Internet.

This statement by itself is correct.

> Since the user no longer has an externally visible Internet Protocol
> (IP)  address (fixed or variable), there is no way (in the general
> case--there may be  "workarounds" for specific NAT boxes, but they're
> basically exploiting bugs  which will probably eventually be fixed) for
> sites to open connections or  address packets to his machine. The user
> is demoted to acting exclusively as a  client.

This is most assuredly not correct.  Pretty much every NAT device or
software package on the market allows the user(s) to specify whether or
not they want to pass ports through to a particular machine inside the
private network.  These are not "bugs" but rather features, prominent
features at that.  The catch is that you cannot arbitrarily pass the same
port to several machines unregulated, but only one.

>While the user can
> contact and freely exchange packets with sites not  behind NAT boxes, he
> cannot be reached by connections which originate at other  sites.

Unless the user has specified that port X goes to his machine inside the
network.  I do this all day, working with a boatload of machines that are
behind NAT boxes.  In fact, my company's servers are all behind a NAT
device .  This includes a web server, a mail server, a DNS server, and an
LDAP server.  All I do is pass the particular port on to the appropriate
box (80 for web, 25, 110 and 143 for mail, etc).
    There are several advantages to doing this, one is of course
dramatically improved security.  A lot of exploits will open obscure
ports to the cracker in question to allow them access.  With my
situation, even if someone did get that port open, they can't use it
because that port is only open if you're on the private NAT network.

> In
> economic terms, the NATted user has become a consumer of services
> provided by a higher-ranking class of sites, producers or publishers,
> not  subject to NAT.
>

And this is different from all of those temporary DHCP'd dial-up users
that were predominant in the 90's and early 2000s how?

>      There are powerful forces, including government, large media
> organisations,
> and music publishers who think this situation is just fine.

This is tin-foil hattery at its finest.  The music industry for example
couldn't tell you what NAT even stands for, much less what it does.  And
Napster, Kazaa, Limewire, Morpheus and all of those other "enemy of the
musician's rights" softwares all work just peachy keen through NATs
anyway.

> In essence,
> every  time a user--they love the word "consumer"--goes behind a NAT
> box, a site which  was formerly a peer to their own sites goes dark, no
> longer accessible to others  on the Internet, while their privileged
> sites remain. The lights are going out  all over the Internet. My paper,
> The Digital Imprimatur, discusses the technical  background, economic
> motivations, and social consequences of this in much more  (some will
> say tedious) detail.

     This sounds like a lament for the destruction of the early 90's
Internet, and it is.  It is a damn shame, I will admit.  I too would
love to have those days back, but it's not going to happen.

> Suffice it to say that, as the current migration
> of individual Internet users to broadband connections with NAT proceeds,
> the  population of users who can use a peer to peer telephony product
> like Speak  Freely will shrink apace. It is irresponsible to encourage
> people to buy into a  technology which will soon cease to work.

     Simply put, NAT makes sense for too many reasons not to do it.  The
worm issue alone is sufficent argument for NAT.  Frankly, I think all
broadband users should use NAT devices, as soon as possible.  It's
all these broadband users who have no concept of security (nor should
they be expected to, based on their level of expertise with
computers) who are the priciple problem whenever one of these new
worms is released.  All of their machines are directly on the
Internet, waiting for their neighbor's infected machine to come
infect them too, and then when they get infected, their box starts
scanning around, looking for victims of its own.
     That couldn't happen if they were beind a NAT device, since the
necessary direct connection to the potential victim isn't there.
Even a security program running on the machine like BlackICE defender
is not sufficient, as last week's worm that specifically exploits
that package demonstrated.
     This is a real issue.  Here's an anecdote about how bad it is.  I
reinstalled Windows XP on a box at an acquaintance's residence who
has broadband cable.  After XP was installed, I connected to the
broadband connection, to do all of the Windows updates (including the
security updates).  Before we had finished getting the list of
updates from Windows Update, the newly installed machine had already
become infected with a worm.  We're talking less than 10 minutes on
the connection!  I formatted the drive again, redid XP again, and
drove it over to my place to do the updates from behind my NAT.
Afterwards I told my acquaintance to go buy a NAT device immediately.
 From that moment forward I was convinced that everyday joes using
broadband should not ever have a direct connection to the 'net.

     Mr. Walker's Speak Freely will not work directly behind a NAT
*without the user taking extra steps to enable it*, and for his
package that is unfortunate.  But there are a raft of other packages
that will work just as well or better.  Asterisk is one
(www.asterisk.org), Teamspeak (www.teamspeak.org), etc.  There's a
bit of effort involved with getting all of these packages to work,
but that's on setting up a server.  Once that's going, anyone behind
NATs will have no issues.

     It just seems to me that it's grossly unfair for him to classify NAT
as a bad thing because in no small part his software won't work
anymore without extra user effort.  I agree that NAT could have the
effects he describes and be a Very Bad Thing indeed if your ISP
suddenly decided to put all of their customers on a private network,
but that's not how NAT is used in today's world.  Everyone gets a
real IP address, and the NAT box that they have control of goes on
that, and lets everyone in the house connect to it from there.  Or,
in the business world, everyone at the office is behind a NAT that
the company has set up.  And in the business world, you're there to
work, not use peer-to-peer apps anyway.  If something is being
blocked by the NAT that is important to the company, the person
running the NAT will be able to adjust to allow it through.  No
problem.

Barclay McInnes







-------- Original Message --------
Subject: Re: "The lights are going out all over the Internet"
Date: Mon, 22 Mar 2004 14:55:31 -0600
From: Mike Schneider <mike1 () usfamily net>
To: Declan McCullagh <declan () well com>, politech () politechbot com
References: <405F2F9E.9020901 () well com>


(I posted the author's piece in another group, and saw the following
response. -- Mike.)


To: <Individual-Sovereignty () yahoogroups com>
From: "Scott Jordan" <scott_c_jordan () yahoo com>
Date: Mon, 22 Mar 2004 11:41:53 -0800
Subject: RE: [I-S] "The lights are going out all over the Internet"
Reply-To: Individual-Sovereignty () yahoogroups com

"While the user can contact and freely exchange packets with sites not
behind NAT boxes, he cannot be reached by connections which originate
at other sites. In economic terms, the NATted user has become a
consumer of services provided by a higher-ranking class of sites,
producers or publishers, not subject to NAT. There are powerful forces,
including government, large media organisations, and music publishers who
think this situation is just
fine. In essence, every time a user--they love the word
"consumer"--goes behind a NAT box, a site which was formerly a peer
to their own sites goes dark, no longer accessible to others on the
Internet, while their privileged sites remain. The lights are going
out all over the Internet."


Loon.

He ignores the fundamental animating notion of the Internet, which is a
"network of networks".  It was never meant to be a peer-to-peer thing.

Besides, it is almost trivially simple to poke a hole in any NAT-based
router for specific purposes.  This does not necessitate "exploitation" of
"bugs" but rather the utilization of the DMZ and port-forwarding features of
virtually all routers.

He also ignores a sincerely beneficial utility of NAT-based routers, which
is to serve as a cloaking device for the PCs behind them.  That is
emphatically *not* in the best interests of the shadowy forces he lists
towards the end, nor for hackers.  The broad popularity of NAT-based routers
also represents a significant evolutionary step for individuals' use of the
Internet.  Now entire families and groups can share broadband, formerly a
luxury afforded to only a privileged few.  The necessary technology--NAT--is
available for less than $35 at any computer store, even in wireless form
(cf. my Belkin 802.11b wireless router with four-port hard-wired 10/100
switching router).  Seven years ago a NAT-based router cost over
$20,000--and forget about wireless--meaning individuals and groups had to
deal with dialup.  A 1997 PC World magazine I nabbed the other day features
a review which debates the merits of 33k vs 56k modems!

There are many other, more legitimate reasons to opine that "lights are
going off all over the Internet", such as lack of venture funding [gasp!
capitalism!] and copyright enforcement by music vendors [ditto] and the
metastization of spam [which has resulted in ISPs blocking email servers
sited on home DSL lines], but NAT isn't one of 'em.  It may have posed
obstacles to "Speaking Freely"'s antique technology, however.

The guy needs some cheese and crackers with his whine.

--S.


Mike.




-------- Original Message --------
Subject: RE: [Politech] John Walker on NAT and "lights going out across 
theInternet"
Date: Mon, 22 Mar 2004 14:15:31 -0800
From: Ilya Haykinson
To: 'Declan McCullagh' <declan () well com>

Declan,

[please remove email address if you forward]

In my opinion, the problem is easily solved with firewalls / NAT devices
that support UPnP -- which provides for applications on PCs behind firewalls
to ask the NAT to open up a particular port.

If Speak Freely wants to allow peer-to-peer connections, it should use UPnP
(which is a standard and has been in many if not most popular broadband
routers for at least a year now) to make sure that it can communicate.

I think it's a little bit silly to try to find a sinister plot or a problem
of epic proportions in the world getting NAT'ed when a solution is available
and allows the best of both world: firewall protection without destroying
the interconnectedness of the network.

-ilya haykinson


-------- Original Message --------
Subject: Re: [Politech] John Walker on NAT and "lights going out across 
the Internet"
Date: Mon, 22 Mar 2004 13:20:41 -0800
From: Tim Pozar <pozar () lns com>
To: Declan McCullagh <declan () well com>
CC: politech () politechbot com
References: <405F2A71.7060102 () well com>

On Mon, Mar 22, 2004 at 01:03:29PM -0500, Declan McCullagh wrote:
> [I missed this the first time around. The topic is Speak Freely, but the
> implications of John's essay are far broader. It's worth a read. 
--Declan]

A much more through treatment to how the Internet is loosing its
ability to support democratic (aka. P2P, etc.) communication is
John's essay called "The Digital Imprimatur" at:

        http://www.fourmilab.ch/documents/digital-imprimatur/

He outlines what many of us have been concerned about for more than
a decade now; The Internet will be, or is now, just a pipe for major
content providers to push their product.

Tim
--

How big brother and big media can put the Internet genie back in
the bottle.

by John Walker
September 13th, 2003
Revision 4 -- November 4th, 2003

    imprimatur 1. The formula (=`let it be printed'), signed by an
    official licenser of the press, authorizing the printing of a
    book; hence as sb. an official license to print.

    The Oxford English Dictionary (2nd. ed.)

Introduction

Over the last two years I have become deeply and increasingly
pessimistic about the future of liberty and freedom of speech,
particularly in regard to the Internet. This is a complete reversal
of the almost unbounded optimism I felt during the 1994-1999 period
when public access to the Internet burgeoned and innovative new
forms of communication appeared in rapid succession. In that epoch
I was firmly convinced that universal access to the Internet would
provide a countervailing force against the centralisation and
concentration in government and the mass media which act to constrain
freedom of expression and unrestricted access to information.
Further, the Internet, properly used, could actually roll back
government and corporate encroachment on individual freedom by
allowing information to flow past the barriers erected by totalitarian
or authoritarian governments and around the gatekeepers of the
mainstream media.

So convinced was I of the potential of the Internet as a means of
global unregulated person-to-person communication that I spent the
better part of three years developing Speak Freely for Unix and
Windows, a free (public domain) Internet telephone with military-grade
encryption. Why did I do it? Because I believed that a world in
which anybody with Internet access could talk to anybody else so
equipped in total privacy and at a fraction of the cost of a telephone
call would be a better place to live than a world without such
communication.

Computers and the Internet, like all technologies, are a double-edged
sword: whether they improve or degrade the human condition depends
on who controls them and how they're used. A large majority of
computer-related science fiction from the 1950's through the dawn
of the personal computer in the 1970's focused on the potential for
centralised computer-administered societies to manifest forms of
tyranny worse than any in human history, and the risk that computers
and centralised databases, adopted with the best of intentions,
might inadvertently lead to the emergence of just such a dystopia.

The advent of the personal computer turned these dark scenarios
inside-out. With the relentless progression of Moore's Law doubling
the power of computers at constant cost every two years or so, in
a matter of a few years the vast majority of the computer power on
Earth was in the hands of individuals. Indeed, the large organisations
which previously had a near monopoly on computers often found
themselves using antiquated equipment inferior in performance to
systems used by teenagers to play games. In less than five years,
computers became as decentralised as television sets.

But there's a big difference between a computer and a television
set--the television can receive only what broadcasters choose to
air, but the computer can be used to create content--programs,
documents, images--media of any kind, which can be exchanged (once
issues of file compatibility are sorted out, perhaps sometime in
the next fifty centuries) with any other computer user, anywhere.

Personal computers, originally isolated, almost immediately began
to self-organise into means of communication as well as computation--indeed
it is the former, rather than the latter, which is their principal
destiny. Online services such as CompuServe and GEnie provided
archives of files, access to data, and discussion fora where personal
computer users with a subscription and modem could meet, communicate,
and exchange files. Computer bulletin board systems, FidoNet, and
UUCP/USENET store and forward mail and news systems decentralised
communication among personal computer users, culminating in the
explosive growth of individual Internet access in the latter part
of the 1990's.

Finally the dream had become reality. Individuals, all over the
globe, were empowered to create and exchange information of all
kinds, spontaneously form virtual communities, and do so in a totally
decentralised manner, free of any kind of restrictions or regulations
(other than already-defined criminal activity, which is governed
by the same laws whether committed with or without the aid of a
computer). Indeed, the very design of the Internet seemed technologically
proof against attempts to put the genie back in the bottle. "The
Internet treats censorship like damage and routes around it." (This
observation is variously attributed to John Gilmore and John Nagle;
I don't want to get into that debate here.) Certainly, authoritarian
societies fearful of losing control over information reaching their
populations could restrict or attempt to filter Internet access,
but in doing so they would render themselves less competitive against
open societies with unrestricted access to all the world's knowledge.
In any case, the Internet, like banned books, videos, and satellite
dishes, has a way of seeping into even the most repressive societies,
at least at the top.

Without any doubt this explosive technological and social phenomenon
discomfited many institutions who quite correctly saw it as reducing
their existing control over the flow of information and the means
of interaction among people. Suddenly freedom of the press wasn't
just something which applied to those who owned one, but was now
near-universal: media and messages which previously could be diffused
only to a limited audience at great difficulty and expense could
now be made available around the world at almost no cost, bypassing
not only the mass media but also crossing borders without customs,
censorship, or regulation.

To be sure, there were attempts by "the people in charge" to recover
some of the authority they had so suddenly lost: attempts to restrict
the distribution and/or use of encryption, key escrow and the Clipper
chip fiasco, content regulation such as the Computer Decency Act,
and the successful legal assault on Napster, but most of these
initiatives either failed or proved ineffective because the Internet
"routed around them"--found other means of accomplishing the same
thing. Finally, the emergence of viable international OpenSource
alternatives to commercial software seemed to guarantee that control
over computers and Internet was beyond the reach of any government
or software vendor--any attempt to mandate restrictions in commercial
software would only make OpenSource alternatives more compelling
and accelerate their general adoption.

This is how I saw things at the euphoric peak of my recent optimism.
Like the transition between expansion and contraction in a universe
with ? greater than 1, evidence that the Big Bang was turning the
corner toward a Big Crunch was slow to develop, but increasingly
compelling as events played out. Earlier I believed there was no
way to put the Internet genie back into the bottle. In this document
I will provide a road map of precisely how I believe that could be
done, potentially setting the stage for an authoritarian political
and intellectual dark age global in scope and self-perpetuating, a
disempowerment of the individual which extinguishes the very
innovation and diversity of thought which have brought down so many
tyrannies in the past.

[...]





_______________________________________________
Politech mailing list
Archived at http://www.politechbot.com/
Moderated by Declan McCullagh (http://www.mccullagh.org/)