Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 13 Mar 2001 07:47:18 -0600
From:      Bob Van Valzah <Bob@Talarian.Com>
To:        Ted Mittelstaedt <tedm@toybox.placo.com>
Cc:        pW <packetwhore@stargate.net>, FreeBSD-Security@FreeBSD.ORG, FreeBSD-Questions@FreeBSD.ORG
Subject:   Re: Racoon Problem & Cisco Tunnel
Message-ID:  <3AAE24E6.9080802@Talarian.Com>
References:  <000801c0ab8b$81d99ca0$1401a8c0@tedm.placo.com>

next in thread | previous in thread | raw e-mail | index | archive | help

--------------080107090808010207030409
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Ted, Loved the book--can't wait for the movie!

This is a religious war that's been fought many times before. Since my 
last answer was too flip, I'll clarify my point of view. IPv4, IPv6, and 
NAT are all just tools that I have to apply with "business sense." NAT's 
not inherently evil, nor is IPv6. Their sensibility will change over 
time and depend upon the application.

If I were shopping for DSL for "my mom," I wouldn't care if she got a 
public address or not. Reliability and good support (as a "little guy" 
can more often provide) would be more important.

But when I'm shopping for DSL for a work-from-home, multicast protocol 
stack developer, a public address is a requirement. In fact, it's 
something I'll pay extra to get. For my business, IPSec is important and 
hence having at least one public address is important.

My protocol developers have a few LANs at home and we happily use NAT 
there. I wouldn't pay extra to get enough address space to put public 
addresses on all their home lab machines.

An ISP who won't give me at least one public address is just limiting 
where I can apply their service. An ISP who gives me one or more public 
addresses let's me pick the point at which I want to apply NAT.

So in spite of my flip remarks, I hope you can see that I do use NAT--I 
just put it off to the last minute where it doesn't make business sense 
to avoid it.

   Bob

Ted Mittelstaedt wrote:

>> -----Original Message-----
>> From: owner-freebsd-questions@FreeBSD.ORG
>> [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Bob Van Valzah
>> Sent: Monday, March 12, 2001 8:07 AM
>> To: pW
>> Cc: FreeBSD-Security@FreeBSD.ORG; FreeBSD-Questions@FreeBSD.ORG
>> Subject: Re: Racoon Problem & Cisco Tunnel
>> 
>> 
>> Yes. The five DSL setups with which I'm familiar all grant at least one
>> public address per house. I believe all are static, but one might be
>> dynamic. Interference with protocols like IPSec is one of the reasons
>> why I'd make a public address a requirement when choising a DSL
>> provider. When it comes to NAT, I'm with Vint Cerf--avoid it if at all
>> possible. Let's hasten the deployment of IPv6.
>> 
> 
> I'd agree with you if everyone that would have to do a renumber of a
> large network from IPv4 to IPv6 had Vint Cerf's money.  When your retired
> like him with money coming out your arse-hole you can afford to make
> irresponsible statements like that.
> 
> Unfortunately, what people like him don't understand is that the burden of
> renumbering the fabric of the Internet from IPv4 to IPv6 will fall largely
> on people like me - who have thousands of customers and tens of thousands of
> public IP numbers spread out among all of them - and who don't have the
> money to support something this audacious.  I can almost guarentee that
> whatever ISP that I am working for when this finally happens is going to go
> out of business, all it's going to do is put thousands of smaller to
> medium-sized ISP's into bankruptcy and let people like AOL who have money
> coming out their arse-holes virtually monopolize Internet access in the
> world.
> 
> Until I see the large organizations with Class A's tied up, give up those
> numbers back to the pool, I'll fight any attempt to move from IPv4 to IPv6,
> and most other ISP's that are out there are going to fight it as well.  In
> the meantime I'm pushing all my customers into using NAT.  NAT is here to
> stay and people that run around calling it an aberration are just proving to
> the rest of us that they have absolutely no business sense.
> 
> NAT has proven itself reliable and vital and idiot engineers that design TCP
> protocols that assume everyone has a public IP number are just architecting
> their own failures, and their protocol's subsequent minimizing by the
> market.  I have some sympathy for protocols like IPSec that came to be
> during the same time - but organizational-to-organizational IPSec tunnels
> don't have to pass through the NAT - they can terminate on it.  But, anyone
> doing a new protocol today is a fool if it can't work though a NAT.
> 
> 
> 
> Ted Mittelstaedt                      tedm@toybox.placo.com
> Author of:          The FreeBSD Corporate Networker's Guide
> Book website:         http://www.freebsd-corp-net-guide.com
> 
> 
> 


--------------080107090808010207030409
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<html><head></head><body>Ted, Loved the book--can't wait for the movie!<br>
<br>
This is a religious war that's been fought many times before. Since my last
answer was too flip, I'll clarify my point of view. IPv4, IPv6, and NAT are
all just tools that I have to apply with "business sense." NAT's not inherently
evil, nor is IPv6. Their sensibility will change over time and depend upon
the application.<br>
<br>
If I were shopping for DSL for "my mom," I wouldn't care if she got a public
address or not. Reliability and good support (as a "little guy" can more
often provide) would be more important.<br>
<br>
But when I'm shopping for DSL for a work-from-home, multicast protocol stack
developer, a public address is a requirement. In fact, it's something I'll
pay extra to get. For my business, IPSec is important and hence having at
least one public address is important.<br>
<br>
My protocol developers have a few LANs at home and we happily use NAT there.
I wouldn't pay extra to get enough address space to put public addresses
on all their home lab machines.<br>
<br>
An ISP who won't give me at least one public address is just limiting where
I can apply their service. An ISP who gives me one or more public addresses
let's me pick the point at which I want to apply NAT.<br>
<br>
So in spite of my flip remarks, I hope you can see that I do use NAT--I just
put it off to the last minute where it doesn't make business sense to avoid
it.<br>
<br>
 &nbsp;&nbsp; Bob<br>
<br>
Ted Mittelstaedt wrote:<br>
<blockquote type="cite" cite="mid:000801c0ab8b$81d99ca0$1401a8c0@tedm.placo.com">
  <blockquote type="cite"><pre wrap="">-----Original Message-----<br>From: <a class="moz-txt-link-abbreviated" href="mailto:owner-freebsd-questions@FreeBSD.ORG">owner-freebsd-questions@FreeBSD.ORG</a><br>[<a class="moz-txt-link-freetext" href="mailto:owner-freebsd-questions@FreeBSD.ORG">mailto:owner-freebsd-questions@FreeBSD.ORG</a>]On Behalf Of Bob Van Valzah<br>Sent: Monday, March 12, 2001 8:07 AM<br>To: pW<br>Cc: <a class="moz-txt-link-abbreviated" href="mailto:FreeBSD-Security@FreeBSD.ORG">FreeBSD-Security@FreeBSD.ORG</a>; <a class="moz-txt-link-abbreviated" href="mailto:FreeBSD-Questions@FreeBSD.ORG">FreeBSD-Questions@FreeBSD.ORG</a><br>Subject: Re: Racoon Problem &amp; Cisco Tunnel<br><br><br>Yes. The five DSL setups with which I'm familiar all grant at least one<br>public address per house. I believe all are static, but one might be<br>dynamic. Interference with protocols like IPSec is one of the reasons<br>why I'd make a public address a requirement when choising a DSL!
<br>provider. When it comes to NAT, I'm with Vint Cerf--avoid it if at all<br>possible. Let's hasten the deployment of IPv6.<br><br></pre></blockquote>
    <pre wrap=""><!----><br>I'd agree with you if everyone that would have to do a renumber of a<br>large network from IPv4 to IPv6 had Vint Cerf's money.  When your retired<br>like him with money coming out your arse-hole you can afford to make<br>irresponsible statements like that.<br><br>Unfortunately, what people like him don't understand is that the burden of<br>renumbering the fabric of the Internet from IPv4 to IPv6 will fall largely<br>on people like me - who have thousands of customers and tens of thousands of<br>public IP numbers spread out among all of them - and who don't have the<br>money to support something this audacious.  I can almost guarentee that<br>whatever ISP that I am working for when this finally happens is going to go<br>out of business, all it's going to do is put thousands of smaller to<br>medium-sized ISP's into bankruptcy and let people like AOL who have money<br>coming out their arse-holes virtually monopolize Internet access in the<br>world.<br>!
<br>Until I see the large organizations with Class A's tied up, give up those<br>numbers back to the pool, I'll fight any attempt to move from IPv4 to IPv6,<br>and most other ISP's that are out there are going to fight it as well.  In<br>the meantime I'm pushing all my customers into using NAT.  NAT is here to<br>stay and people that run around calling it an aberration are just proving to<br>the rest of us that they have absolutely no business sense.<br><br>NAT has proven itself reliable and vital and idiot engineers that design TCP<br>protocols that assume everyone has a public IP number are just architecting<br>their own failures, and their protocol's subsequent minimizing by the<br>market.  I have some sympathy for protocols like IPSec that came to be<br>during the same time - but organizational-to-organizational IPSec tunnels<br>don't have to pass through the NAT - they can terminate on it.  But, anyone<br>doing a new protocol today is a fool if it can't work though a NAT.!
<br><br><br><br>Ted Mittelstaedt                      <a class="moz-txt-link-abbreviated" href="mailto:tedm@toybox.placo.com">tedm@toybox.placo.com</a><br>Author of:          The FreeBSD Corporate Networker's Guide<br>Book website:         <a class="moz-txt-link-freetext" href="http://www.freebsd-corp-net-guide.com">http://www.freebsd-corp-net-guide.com</a><br><br><br><br></pre>;
    </blockquote>
    <br>
</body></html>
--------------080107090808010207030409--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AAE24E6.9080802>