From owner-freebsd-security Tue Mar 13 9: 1: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [206.29.169.15]) by hub.freebsd.org (Postfix) with ESMTP id 8724137B719; Tue, 13 Mar 2001 09:00:56 -0800 (PST) (envelope-from tedm@toybox.placo.com) Received: from tedm.placo.com (nat-rtr.freebsd-corp-net-guide.com [206.29.168.154]) by mail.freebsd-corp-net-guide.com (8.11.1/8.11.1) with SMTP id f2DGwFN20651; Tue, 13 Mar 2001 08:58:16 -0800 (PST) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: "James Wyatt" Cc: "Bob Van Valzah" , "pW" , , Subject: RE: Racoon Problem & Cisco Tunnel Date: Tue, 13 Mar 2001 08:58:14 -0800 Message-ID: <000801c0abde$cb31c5a0$1401a8c0@tedm.placo.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 Importance: Normal In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >-----Original Message----- >From: owner-freebsd-questions@FreeBSD.ORG >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of James Wyatt > >NAT is a tool and you can hurt yourself with it or do useful things with >it, not an aberration or silver-bullet. Folks with fast hosts or small >amounts of traffic and simple needs love it - especially home broadband >users. There is a trade-off for many router users though: a) just change >the header when NAT-ting, or b) correct the packet checksums and lose your >ASIC efficiency and kill your shared-CPU. NAT can also make peer-to-peer >networking for groups of workstations across NAT barriers difficult if you >have to chew-up static IPs from what I can tell. > >Many large corporations like GE Corp have huge RFC networks internally. If >you ever have to make an internal Frame Relay link between them behind >their public firewalls, you will learn new words for describing RFC >networking limitations. "Oh &$*^^%! Our router thinks their Chicago server >is on the same LAN segment as our Fort Worth server, but with a different >netmask. So what? Different netmasks create different subnets. It's perfectly fine to have 2 different subnets on the same segment. Now, if your using the word "segment" to mean something other than a physical segment, but rather to mean "subnet" then your statement is impossible. If both systems have different netmasks (and not the same IP addresses, of course) then it's impossible for them to be on the same subnet. Same physical segment, yes, but not the same subnet. > Which of us should renumber our servers? Neither. Sites that are geographically distant should be on separate subnets. > >When IPv4 was designed, everyone could have had their own number. It was >done a *long* time ago, and did not envision "The Internet Explosion". >Everyone else has just followed the specs so things interoperated. If >those "idiot engineers" hadn't done that, you wouldn't have equipment >coming out your "*rse-h*le" today. (^_^) > The engineers that designed all that wern't idiots - as they emphasized interoperability. If someone had come along back then and said "Let's throw away the IPv4 scheme and replace it with IPv6 because we might run out of numbers in the future" those engineers would have squashed that on the interoperability altar. >btw: If you stopped saying everyone else (including Vint Cerf, however >misgiuded or misquoted) is an idiot fewer folks might miss your otherwise >valid points. I'm not. I'm saying that people that insist the problem is we haven't all switched over to IPv6 are idiots. I'm also saying that engineers that sit down TODAY at a blank drawing board, AFTER NAT IS A REALITY, and design TCP/IP protocols that are incompatible with it are idiots. The majority of Internet engineers are NOT in this group. There's a vocal minority that is and are currently engaged in running around and telling the majority that we are doing it wrong by using NAT. If I get it: "NAT works and IPv6 is still a *long* way off >for many very strong commercial realities." I gotta mostly agree with >that, but NAT has a price as well. > Any connectivity solution has a price. NAT's price is cheaper than the price of renumbering the entire Internet to IPv6 and it will remain so until we truly are out of numbers, not just dealing with an artifical shortage. Sorry, but engineers that ignore this fiscal reality are idiot dreamers in my opinion. >I hate fudging checksums because, while they only cause a little more >coding for script kiddies making fake- or poison-packet generators, they >also help ENet reliability. There are more things hurting packets than >just collisions. > >If the world ever decides to jump to IPv6, all the server folks have to >renumber as well. How is this all supposed to happen without massive >outages and downtime? - Jy@ > The IPv6 crowd is trying to frame the question as "It's not whether or not we are going to switch, it's when" I'm interested to see your framing the question as "It's not when we are going to switch to IPv6, it's IF" I'm not even saying that. All I'm saying is that there is a tremendous amount that can be done to extend the lifetime of the current infrastructure, that includes NAT, extracting large public blocks from corporations that don't use them publically, and many other things. I'm saying that it's likely that in our lifetimes that the Internet will NOT be switched over to IPv6. But, I'm not saying that it will NEVER be. Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message