China unveils next generation Internet
Mark T. Ganzer
ganzer at san.rr.com
Thu Dec 30 09:30:29 PST 2004
NAT is EVIL!! It breaks WAY too many things (ex: the AH component of
IPsec). An IP network consists of many more protocols than just TCP and
UDP (check out your /etc/protocols file sometime). Simple port forwarding
may work with simple TCP and UDP apps, but doesn't work with a number of
of applications (VoIP, H.323, IPsec ESP). These apps have to have a proxy
or firewall that is intelligent enough to understand the app and know how
to re-write and process the header - even simple an app as basic as FTP
requires the firewall to "sniff" the control channel in order to determine
how to re-write the data channel packets. While all this may work in your
little SOHO environment, it doesn't scale well at all into large networks.
> begin quoting Tracy R Reed as of Wed, Dec 29, 2004 at 09:04:21PM -0800:
>> On Wed, Dec 29, 2004 at 07:25:27PM -0800, Stewart Stremler spake thusly:
>> > NAT and DHCP seem to take care of most of the IP-shortage issue, since
>> > *most* people neither want nor should use a publically-accessible IP
>> > address.
>> I think we have discussed this before.
> Yup. :)
>> May as well give them routable
>> and a firewall device that only lets connections go out.
> Er, that's backwards. If you're going to give 'em a firewall device that
> only allows outgoing connections, you might as well use NAT.
> That's like saying "They don't really need a dual-processor system with
> a gigabyte of RAM, so we'll just disable one of the processors and three
> quarters of the RAM."
>> That way they
>> allow connections in should they ever want to. VOIP is one of many
>> protocols that you can't just forward a port for.
> So forward by protocol.
> Really, one of the really cools things about TCP/UDP is the "port" idea
> (which is widely rejected by the web-loving generation that thinks
> everything should be over port 80 anyway) that _lets_ stuff like port
> forwarding thru a NAT box work.
>> > "Only us freaks want globally routable static ip addresses"
>> Most people do, they just don't realize it yet.
> Don't buy it. You might as well say that most people want to dump
> the x86 architecture, but they just don't realize it yet. :)
> Seriously, IPv6 has a lot going for it, but it all but *requires* a
> working DNS setup, as the addresses aren't easily memorizable. This
> makes a home network that much more complicated, so the firewall
> widget *also* becomes a local DNS server. . .
> I'm not a big fan of complexity.
> Plus, the shortage of IP addresses has become a sky-is-falling problem,
> as we have been doomed for so long, and we haven't hit the wall yet. A
> sort of boy-cried-wolf attitude has set in (at least here in the states)
> because the prophets of doom did their job and got someone to do something
> about the problem (DHCP and NAT). That may have been a bad thing, in
> the long run, but it's one of those situations where "good enough" worked.
> I see /large/ installations having a use for IPv6, but not the average
> person. And with 6to4, the need for the Internet to go IPv6 is very
> small, especially if ip address blocks are being "given back" (like
> stanford did in, what, 2000?).
> Should I ever get a 6to4 capable firewall/router, I'd probably _not_
> adopt the "use your MAC address" convention, but encode the local
> (NAT'd) IPv4 address instead.
> -Stewart "Still using /etc/hosts for local network lookups" Stremler
> list archives http://www.kernel-panic.org/cgi-bin/ezmlm-cgi?4
> To unsubscribe, send a message to the address shown in the
> header of this message.
More information about the KPLUG-List