China unveils next generation Internet

Mark T. Ganzer ganzer at san.rr.com
Thu Dec 30 09:30:29 PST 2004 

NAT is EVIL!! It breaks WAY too many things (ex: the AH component of
IPsec). An IP network consists of many more protocols than just TCP and
UDP (check out your /etc/protocols file sometime). Simple port forwarding
may work with simple TCP and UDP apps, but doesn't work with a number of
of applications (VoIP, H.323, IPsec ESP). These apps have to have a proxy
or firewall that is intelligent enough to understand the app and know how
to re-write and process the header - even simple an app as basic as FTP
requires the firewall to "sniff" the control channel in order to determine
how to re-write the data channel packets. While all this may work in your
little SOHO environment, it doesn't scale well at all into large networks.

-Mark Ganzer

> begin  quoting Tracy R Reed as of Wed, Dec 29, 2004 at 09:04:21PM -0800:
>> On Wed, Dec 29, 2004 at 07:25:27PM -0800, Stewart Stremler spake thusly:
>> > NAT and DHCP seem to take care of most of the IP-shortage issue, since
>> > *most* people neither want nor should use a publically-accessible IP
>> > address.
>>
>> I think we have discussed this before.
>
> Yup. :)
>
>>                                        May as well give them routable
>> IP's
>> and a firewall device that only lets connections go out.
>
> Er, that's backwards. If you're going to give 'em a firewall device that
> only allows outgoing connections, you might as well use NAT.
>
> That's like saying "They don't really need a dual-processor system with
> a gigabyte of RAM, so we'll just disable one of the processors and three
> quarters of the RAM."
>
>>                                                          That way they
>> can
>> allow connections in should they ever want to. VOIP is one of many
>> protocols that you can't just forward a port for.
>
> So forward by protocol.
>
> Really, one of the really cools things about TCP/UDP is the "port" idea
> (which is widely rejected by the web-loving generation that thinks
> everything should be over port 80 anyway) that _lets_ stuff like port
> forwarding thru a NAT box work.
>
>> > "Only us freaks want globally routable static ip addresses"
>>
>> Most people do, they just don't realize it yet.
>
> Don't buy it. You might as well say that most people want to dump
> the x86 architecture, but they just don't realize it yet.  :)
>
> Seriously, IPv6 has a lot going for it, but it all but *requires* a
> working DNS setup, as the addresses aren't easily memorizable.  This
> makes a home network that much more complicated, so the firewall
> widget *also* becomes a local DNS server. . .
>
> I'm not a big fan of complexity.
>
> Plus, the shortage of IP addresses has become a sky-is-falling problem,
> as we have been doomed for so long, and we haven't hit the wall yet. A
> sort of boy-cried-wolf attitude has set in (at least here in the states)
> because the prophets of doom did their job and got someone to do something
> about the problem (DHCP and NAT).  That may have been a bad thing, in
> the long run, but it's one of those situations where "good enough" worked.
>
> I see /large/ installations having a use for IPv6, but not the average
> person.  And with 6to4, the need for the Internet to go IPv6 is very
> small, especially if ip address blocks are being "given back" (like
> stanford did in, what, 2000?).
>
> Should I ever get a 6to4 capable firewall/router, I'd probably _not_
> adopt the "use your MAC address" convention, but encode the local
> (NAT'd) IPv4 address instead.
>
> -Stewart "Still using /etc/hosts for local network lookups" Stremler
>
> --
>   http://www.kernel-panic.org
>   list archives http://www.kernel-panic.org/cgi-bin/ezmlm-cgi?4
>   To unsubscribe, send a message to the address shown in the
> list-unsubscribe
>   header of this message.
>
>

More information about the KPLUG-List mailing list