Date: Tue, 13 Mar 2001 22:35:12 -0800 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: "Bob Van Valzah" <Bob@Talarian.Com> Cc: "pW" <packetwhore@stargate.net>, <FreeBSD-Security@FreeBSD.ORG>, <FreeBSD-Questions@FreeBSD.ORG> Subject: RE: Racoon Problem & Cisco Tunnel Message-ID: <003d01c0ac50$ec379280$1401a8c0@tedm.placo.com> In-Reply-To: <3AAE24E6.9080802@Talarian.Com>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks! It's not really a religious war, because there's valid reasons to move to IPv6 and I think it's obvious that ultimately the Internet is going to have to go there. But, what the engineers don't understand is that this is a political problem, not a technical problem. They just see it like the Post Office sees it when they need a new zip code. What they always forget is that there's ways to twist the arms of people that are address space hogs that will force those addresses to be upchucked - thus the "imminent shortage" magically disappears for another 6 months until the next person's arm needs to be twisted. And, there's an incredible number of arms out there that can be twisted. Take some of those large corporations, like SquishySoft, that have entire class A's assigned to them, but firewall the entire address space off from the public Internet, and only allow incoming connections to perhaps 100 of them. Would you like to be the CEO of Squishy when the papers start rolling the story of how this company's completely unjustified hanging-on of this block is preventing another 16 million people from being brought on to the Internet? I agree with you on ISP's needing to hand out public numbers. The ISP I work for hands them out with every account, either work or home, for no extra charge. As long as you know what your doing when you put together your network it's not a problem for the ISP. I've even been known to cut the occasional /29 subnet to people that had justification for it. I only draw the line at the people that want a dozen numbers in the DSL bridge itself and are too cheap to buy a router. But, going beyond a /29 for a small company - that's a different story, and we make people jump through hoops before doing it. Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com -----Original Message----- From: Bob Van Valzah [mailto:Bob@Talarian.Com] Sent: Tuesday, March 13, 2001 5:47 AM To: Ted Mittelstaedt Cc: pW; FreeBSD-Security@FreeBSD.ORG; FreeBSD-Questions@FreeBSD.ORG Subject: Re: Racoon Problem & Cisco Tunnel Ted, Loved the book--can't wait for the movie! This is a religious war that's been fought many times before. Since my last answer was too flip, I'll clarify my point of view. IPv4, IPv6, and NAT are all just tools that I have to apply with "business sense." NAT's not inherently evil, nor is IPv6. Their sensibility will change over time and depend upon the application. If I were shopping for DSL for "my mom," I wouldn't care if she got a public address or not. Reliability and good support (as a "little guy" can more often provide) would be more important. But when I'm shopping for DSL for a work-from-home, multicast protocol stack developer, a public address is a requirement. In fact, it's something I'll pay extra to get. For my business, IPSec is important and hence having at least one public address is important. My protocol developers have a few LANs at home and we happily use NAT there. I wouldn't pay extra to get enough address space to put public addresses on all their home lab machines. An ISP who won't give me at least one public address is just limiting where I can apply their service. An ISP who gives me one or more public addresses let's me pick the point at which I want to apply NAT. So in spite of my flip remarks, I hope you can see that I do use NAT--I just put it off to the last minute where it doesn't make business sense to avoid it. Bob Ted Mittelstaedt wrote: -----Original Message-----From: owner-freebsd-questions@FreeBSD.ORG[mailto:owner-freebsd-questions@FreeBSD.O RG]On Behalf Of Bob Van ValzahSent: Monday, March 12, 2001 8:07 AMTo: pWCc: FreeBSD-Security@FreeBSD.ORG; FreeBSD-Questions@FreeBSD.ORGSubject: Re: Racoon Problem & Cisco TunnelYes. The five DSL setups with which I'm familiar all grant at least onepublic address per house. I believe all are static, but one might bedynamic. Interference with protocols like IPSec is one of the reasonswhy I'd make a public address a requirement when choising a DSL! provider. When it comes to NAT, I'm with Vint Cerf--avoid it if at allpossible. Let's hasten the deployment of IPv6. I'd agree with you if everyone that would have to do a renumber of alarge network from IPv4 to IPv6 had Vint Cerf's money. When your retiredlike him with money coming out your arse-hole you can afford to makeirresponsible statements like that.Unfortunately, what people like him don't understand is that the burden ofrenumbering the fabric of the Internet from IPv4 to IPv6 will fall largelyon people like me - who have thousands of customers and tens of thousands ofpublic IP numbers spread out among all of them - and who don't have themoney to support something this audacious. I can almost guarentee thatwhatever ISP that I am working for when this finally happens is going to goout of business, all it's going to do is put thousands of smaller tomedium-sized ISP's into bankruptcy and let people like AOL who have moneycoming out their arse-holes virtually monopolize Internet access in theworld.! Until I see the large organizations with Class A's tied up, give up thosenumbers back to the pool, I'll fight any attempt to move from IPv4 to IPv6,and most other ISP's that are out there are going to fight it as well. Inthe meantime I'm pushing all my customers into using NAT. NAT is here tostay and people that run around calling it an aberration are just proving tothe rest of us that they have absolutely no business sense.NAT has proven itself reliable and vital and idiot engineers that design TCPprotocols that assume everyone has a public IP number are just architectingtheir own failures, and their protocol's subsequent minimizing by themarket. I have some sympathy for protocols like IPSec that came to beduring the same time - but organizational-to-organizational IPSec tunnelsdon't have to pass through the NAT - they can terminate on it. But, anyonedoing a new protocol today is a fool if it can't work though a NAT.! Ted Mittelstaedt tedm@toybox.placo.comAuthor of: The FreeBSD Corporate Networker's GuideBook website: http://www.freebsd-corp-net-guide.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003d01c0ac50$ec379280$1401a8c0>