RE: Stupid NAT tricks and how to stop them.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> John Calcote wrote:
> I'll just jump in here for a second and mention also that vendors
> offer what they have to, not what they can. They want to provide
> the most "bang for the buck", so to speak. These companies don't
> offer the multiple-static-ip-address option today because most
> ISP's don't offer it to home users and home (SOHO) users represent
> the target market. That said, they *would* offer these features
> if SOHO users were constantly frustrated about the fact that they
> can't make use of the multiple static addresses that their ISP
> provides them because of limitations in their router equipment...

Exactly. As I said many times: vendors sells what the market wants to
buy, and IETFers do not make the market.


John,

> John C Klensin wrote:
> "spreading disinformation" is a rather strong claim; not
> one I would choose to make without actually examining the
> devices and their manuals, not just the marketing
> descriptions you cite below.

I have personally configured non-NAT on a least a dozen different of
these boxes.

> At least part of the problem are some constraints that,
> as a simplification, I didn't mention.

I can see that now, but your original text said nothing.


> The two most recent ISPs I've dealt with personally, and two
> more I've deal with on behalf of friends I was trying to set
> up, all insist on owning control of the front-end CPE
> "modem"/ "router" equipment. They do not permit (by Ts&Cs,
> password control, etc.) the customer to reconfigure that
> equipment to, e.g., operate it in bridge mode.

Common issue, then ask the ISP to reconfigure it in bridge mode
themselves. If the contract says you get public IPs this means these IPs
available for your hosts, not for their router. I never had an ISP
refuse to do this, it's quite easy at time of installation to call the
sales droid and tell it that if they don't configure their stuff to
deliver your public addresses on the LAN side they can stick it. Sales
droid wants his commission, sales droid talks to the techs.

Other method: spend $20 on eBay for a DSL "modem/router" that you have
control of. It is not illegal to swap their modem for yours, and if you
ever have to call their support (you know, the guys that ask for 1/2
hour if the power is on and if the lights are green) just plug their
modem back for the time of troubleshooting and the put yours back when
done. For this very reason I kept the Alcatel aDSL modem that PacBell
sold me 7 years ago although I have used at least 4 different ones.

FYI, in the latest AT&T (formerly SBC formerly Pacific Bell) aDSL
self-install kits that they ship, the password to admin the NAT box is
on a sticker underneath the box. Before, techies still knew that it was
the MAC address or the serial number of the box. They actually want you
to try to configure the box, mess it up, and send you a tech and bill
$200 to fix it. Also, they were tired of people clogging their support
to ask how to make this of that work. New method: if it does not work,
see your software vendor.
ISPs that survive and grow provide what their customers ask for, and
admin access to the CPE device to open ports is one of these demands.


> The number of static addresses available or in use is
> quite small, typically a /28 or even a /29.

In my experience, /29 is good enough for a typical home and /28 for a
typical small office. If you need more you fall into the medium business
category and allegedly have the $$$ that go with it.


> Finally, I need a device with the ability
> to specify port priorities

Your requirements are way over the typical user. If you have
requirements that represent 1% of the demand, you will not be able to
use the canned solution that fits the masses. Possibly not because of
technical reasons but for business reasons: vendors might think that if
you have such requirements you have the money to pay for them (which is
partially justified by higher support costs). If you don't find what you
need in el-cheapo mass-produced consumer stuff it's not because vendors
are trying to screw you but because your business does not represent
enough money for them to take action.


> and to supply some firewall capability.

There is no cheap firewall solution unless you call "firewall" what
comes with a $20 NAT box.


> In the case of the Linksys device, the documentation is
> fairly clear that the address space on the WAN-side
> needed to be disjoint from the address space on the LAN-side.

This is the case also for many others even "high-end" ones such as the
Cisco PIX firewall (last time I checked). Your requirements are
different than the masses, you have to use the box that fits your
requirements. The fact that very few firewalls support bridging is
simply due to the lack of demand.


> A solution to this is that either the ISP-supplied CPE
> or the internal router device operate in bridge mode.

Indeed and I do acknowledge that many firewalls do not, which I found
myself to be a pain. But you still have two avenues:

1. A router/firewall that bridges. Besides the sonicwalls, the D-link
DFL-600 has a non-NAT DMZ capability; I think that the Netgear FVX538
and the Trendnet TW100-BRV304 do the same but have never used them.

2. A CPE device that bridges and has good enough firewall capabilities.
There are many you could also use, pick the one that fits. Also, (for
aDSL) consider a Cisco 857 (less than $300). Never configured one
without NAT, but the IOS subset is decent.


> It is that "bridge" mode that is critical. As I indicated
> above, neither the Linksys nor the Netgear devices provide
> it.

Because they are not CPE devices. What's the purpose of a NAT box if you
don't use NAT?


> running the ISP's interface device in bridge mode,
> which many (although perhaps not all) ISPs prohibit

You're not talking to the right person at your ISP. Or you need to
switch ISPs.
 

> Iljitsch van Beijnum wrote:
> This sounds a lot like "NAT doesn't really break anything".

For 95% of the users and for users that are behind a firewall especially
a stateful one, where things might be broken before they reach NAT
anyway.


> If I pretend I'm a regular user for a minute, I can tell
> you this is not the case. When I used NAT for my Powerbook

Powerbook: 2% of the market. You are not what I call a regular user.
Vendors are not going to double the dev and support cost of a $25 NAT
box to support everything man ever invented. Macs just don't have enough
of a market share to be in the radar of the el-cheapo NAT box.


> Given the market place realities the IETF should be careful to
> make its protocols interoperate with NAT whenever possible, but
> don't think for a minute that adding NAT workarounds solves the
> problem completely.

I don't.


> Here in the Netherlands ISPs generally give out a single real IP
> address to their customers, but most customers use a DSL or
> cable modem with NAT or an additional NAT router or wireless base
> station so they can connect more than one computer. Despite some
> individual reports to the contrary, I believe the same is true for
> most IP users.

So do I. At least in Europe and North America.


> However, some ISPs already perform NAT for their customers in
> their network, and that's only going to increase as IPv4 addresses
> become more scarce and eventually run out completely.

In some countries.


> At that point, many people will be behind two layers of NAT.

Predictable. Works to check email and surf the web; more difficult to
host services.

> Also, reserving ports will be very hard because many systems
> share one real IP address. Maybe it's just me, but I don't see
> the IETF or anyone else for that matter coming up with something
> that allows communication between two people who are both behind
> two layers of NAT with any modicum of reliability.

Matter of money once again: Pay 5 bucks a month to have your public IP
or pay nothing to have 16 ports forwarded to your private IP behind NAT.
When configuring apps you just have to use these 16 ports instead of
picking randomly in the high range. It's el-cheapo crap solution but
still would deliver enough for 95% of the demand. Frankly, half of my
relatives would not need more than this.


> So in addition to supporting NAT where reasonably possible, the
> IETF should also continue to plan for a future where there is
> enough address space to make NAT unnecessary. However, universal
> reachability isn't coming back even if NAT is out of the picture
> because people love to run firewalls that break way more stuff
> than intended.

Which is partly why there are few non-NAT firewalls, as the firewall
already breaks mostly the same things NAT does, which makes NAT a lot
less inconvenient than alone. No market, as people who can deal with a
firewall can likely deal with NAT at the same time.

Michel.


_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]