RE: myth of the great transition (was US Defense Department forma lly adopts IPv6)

"Peter Ford" <peterf@exchange.microsoft.com> · Thu, 19 Jun 2003 07:35:52 -0700

Title: Re: myth of the great transition (was US Defense Department forma lly adopts IPv6)

Noel,

You are getting too cerebral.  We can 
look at the marketing info on the box of a NAT product to see what people think 
they are getting:

1) Instant Internet Sharing for cable and 
DSL ....
2) Firewall Security against ...  
USING NAT technology.
3) Simultaneous Internet Access for up to 
NNN PCs
4) 4 port 10/100 switch
5) Built in print server ...

It really doesn't matter what you think wrt 
the firewall security of NATs.   People think they are getting 
additional security.   Here is a common sequence we see: 1) person 
puts on a software firewall solution on their PC, 2) their solution then 
continually inundates the user with warnings due to all the scanning going on, 
3) they get a NAT based on security recommendations from PC magazines, CNET, ZD, 
etc., it is a trivial install of a now < $50 devicce,  4) the warnings 
are significantly reduced, 5) customer feels they have done something about 
their vulnerability, probably akin to installing a deadbolt lock into a wooden 
door frame (sure, a crowbar will go right through it like butter).

regards, peterf

P.S. NATng - it's time has 
come!

From: owner-ietf@ietf.org on behalf of J. Noel 
Chiappa
Sent: Thu 6/19/2003 4:49 AM
To: 
ietf@ietf.org
Cc: jnc@ginger.lcs.mit.edu
Subject: Re: myth 
of the great transition (was US Defense Department forma lly adopts 
IPv6)

    > From: Bob Braden 
<braden@ISI.EDU>

    > Today, one must 
unfortunately question whether universal connectivity
    > 
can be sustained (or is even the right goal) in a 
networking
    > environment without universal trust. Maybe 
NATs are, in fact, a result
    > of a very deep problem 
with our architecture.

My take is that NAT's respond to several flaws in 
the IPv4 architecture:

- 1) Not enough addresses - this being the one 
that brought them into

existence.
- 1a) Local allocation of addresses - a variant of the preceeding 
one, but
        subtly different; NAT's 
do allow you to allocate more 
addresses
        locally without going 
back to a central number allocation 
authority,
        which is very 
convenient.
- 2) Easy renumbering when switching ISP's - a benefit that only 
was realized
        later in time, but a 
significant one all the same - especially 
for
        those people who reckon that 
switching addresses is a really 
painful
        undertaking.

I 
don't really believe the rationale that they are useful as a firewall. 
For
one thing, most NAT boxes includes a real firewall (i.e. packet 
filtering
separate from the NAT functionality). I think that even if we had 
plenty of
addresses, people would still install boxes with firewall 
functionality at
the edges of their networks.

Which gets to your 
original point - "whether universal connectivity .. is
even the right goal .. 
in a networking environment without universal trust".
Which is an interesting 
and complex point, but I think one we can put off to
a separate discussion, 
because I think it's unrelated to the reasons that NAT
boxes have been a 
success. (It's also good to put if off because including it
will muddy the 
discussion water.)

    > If you accept that, then 
there is no point in attacking NATs until you
    > can 
propose a better architectural solution to the trust 
problem
    > (hopefully, there will be one!)

Well, 
not so much the trust problem, because I don't think that's what drove
NAT. 
But your basic point is a good one.

I think that if you look at the 
points I listed above, the market has clearly
decided that IPv4+NAT (for all 
its problems, with which people are I'm sure
reasonably familiar, given the 
many years NAT has been in service widely) is
the most cost-effective 
solution to providing them. The IETF really needs to
sit and ponder the 
implications of that.

Noel