> John Calcote wrote: > I'll just jump in here for a second and mention also that vendors > offer what they have to, not what they can. They want to provide > the most "bang for the buck", so to speak. These companies don't > offer the multiple-static-ip-address option today because most > ISP's don't offer it to home users and home (SOHO) users represent > the target market. That said, they *would* offer these features > if SOHO users were constantly frustrated about the fact that they > can't make use of the multiple static addresses that their ISP > provides them because of limitations in their router equipment... Exactly. As I said many times: vendors sells what the market wants to buy, and IETFers do not make the market. John, > John C Klensin wrote: > "spreading disinformation" is a rather strong claim; not > one I would choose to make without actually examining the > devices and their manuals, not just the marketing > descriptions you cite below. I have personally configured non-NAT on a least a dozen different of these boxes. > At least part of the problem are some constraints that, > as a simplification, I didn't mention. I can see that now, but your original text said nothing. > The two most recent ISPs I've dealt with personally, and two > more I've deal with on behalf of friends I was trying to set > up, all insist on owning control of the front-end CPE > "modem"/ "router" equipment. They do not permit (by Ts&Cs, > password control, etc.) the customer to reconfigure that > equipment to, e.g., operate it in bridge mode. Common issue, then ask the ISP to reconfigure it in bridge mode themselves. If the contract says you get public IPs this means these IPs available for your hosts, not for their router. I never had an ISP refuse to do this, it's quite easy at time of installation to call the sales droid and tell it that if they don't configure their stuff to deliver your public addresses on the LAN side they can stick it. Sales droid wants his commission, sales droid talks to the techs. Other method: spend $20 on eBay for a DSL "modem/router" that you have control of. It is not illegal to swap their modem for yours, and if you ever have to call their support (you know, the guys that ask for 1/2 hour if the power is on and if the lights are green) just plug their modem back for the time of troubleshooting and the put yours back when done. For this very reason I kept the Alcatel aDSL modem that PacBell sold me 7 years ago although I have used at least 4 different ones. FYI, in the latest AT&T (formerly SBC formerly Pacific Bell) aDSL self-install kits that they ship, the password to admin the NAT box is on a sticker underneath the box. Before, techies still knew that it was the MAC address or the serial number of the box. They actually want you to try to configure the box, mess it up, and send you a tech and bill $200 to fix it. Also, they were tired of people clogging their support to ask how to make this of that work. New method: if it does not work, see your software vendor. ISPs that survive and grow provide what their customers ask for, and admin access to the CPE device to open ports is one of these demands. > The number of static addresses available or in use is > quite small, typically a /28 or even a /29. In my experience, /29 is good enough for a typical home and /28 for a typical small office. If you need more you fall into the medium business category and allegedly have the $$$ that go with it. > Finally, I need a device with the ability > to specify port priorities Your requirements are way over the typical user. If you have requirements that represent 1% of the demand, you will not be able to use the canned solution that fits the masses. Possibly not because of technical reasons but for business reasons: vendors might think that if you have such requirements you have the money to pay for them (which is partially justified by higher support costs). If you don't find what you need in el-cheapo mass-produced consumer stuff it's not because vendors are trying to screw you but because your business does not represent enough money for them to take action. > and to supply some firewall capability. There is no cheap firewall solution unless you call "firewall" what comes with a $20 NAT box. > In the case of the Linksys device, the documentation is > fairly clear that the address space on the WAN-side > needed to be disjoint from the address space on the LAN-side. This is the case also for many others even "high-end" ones such as the Cisco PIX firewall (last time I checked). Your requirements are different than the masses, you have to use the box that fits your requirements. The fact that very few firewalls support bridging is simply due to the lack of demand. > A solution to this is that either the ISP-supplied CPE > or the internal router device operate in bridge mode. Indeed and I do acknowledge that many firewalls do not, which I found myself to be a pain. But you still have two avenues: 1. A router/firewall that bridges. Besides the sonicwalls, the D-link DFL-600 has a non-NAT DMZ capability; I think that the Netgear FVX538 and the Trendnet TW100-BRV304 do the same but have never used them. 2. A CPE device that bridges and has good enough firewall capabilities. There are many you could also use, pick the one that fits. Also, (for aDSL) consider a Cisco 857 (less than $300). Never configured one without NAT, but the IOS subset is decent. > It is that "bridge" mode that is critical. As I indicated > above, neither the Linksys nor the Netgear devices provide > it. Because they are not CPE devices. What's the purpose of a NAT box if you don't use NAT? > running the ISP's interface device in bridge mode, > which many (although perhaps not all) ISPs prohibit You're not talking to the right person at your ISP. Or you need to switch ISPs. > Iljitsch van Beijnum wrote: > This sounds a lot like "NAT doesn't really break anything". For 95% of the users and for users that are behind a firewall especially a stateful one, where things might be broken before they reach NAT anyway. > If I pretend I'm a regular user for a minute, I can tell > you this is not the case. When I used NAT for my Powerbook Powerbook: 2% of the market. You are not what I call a regular user. Vendors are not going to double the dev and support cost of a $25 NAT box to support everything man ever invented. Macs just don't have enough of a market share to be in the radar of the el-cheapo NAT box. > Given the market place realities the IETF should be careful to > make its protocols interoperate with NAT whenever possible, but > don't think for a minute that adding NAT workarounds solves the > problem completely. I don't. > Here in the Netherlands ISPs generally give out a single real IP > address to their customers, but most customers use a DSL or > cable modem with NAT or an additional NAT router or wireless base > station so they can connect more than one computer. Despite some > individual reports to the contrary, I believe the same is true for > most IP users. So do I. At least in Europe and North America. > However, some ISPs already perform NAT for their customers in > their network, and that's only going to increase as IPv4 addresses > become more scarce and eventually run out completely. In some countries. > At that point, many people will be behind two layers of NAT. Predictable. Works to check email and surf the web; more difficult to host services. > Also, reserving ports will be very hard because many systems > share one real IP address. Maybe it's just me, but I don't see > the IETF or anyone else for that matter coming up with something > that allows communication between two people who are both behind > two layers of NAT with any modicum of reliability. Matter of money once again: Pay 5 bucks a month to have your public IP or pay nothing to have 16 ports forwarded to your private IP behind NAT. When configuring apps you just have to use these 16 ports instead of picking randomly in the high range. It's el-cheapo crap solution but still would deliver enough for 95% of the demand. Frankly, half of my relatives would not need more than this. > So in addition to supporting NAT where reasonably possible, the > IETF should also continue to plan for a future where there is > enough address space to make NAT unnecessary. However, universal > reachability isn't coming back even if NAT is out of the picture > because people love to run firewalls that break way more stuff > than intended. Which is partly why there are few non-NAT firewalls, as the firewall already breaks mostly the same things NAT does, which makes NAT a lot less inconvenient than alone. No market, as people who can deal with a firewall can likely deal with NAT at the same time. Michel. _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf