From owner-freebsd-security Tue Mar 13 5:47:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp.whitebarn.com (Spin.whitebarn.com [216.0.13.113]) by hub.freebsd.org (Postfix) with ESMTP id E8C3237B72D; Tue, 13 Mar 2001 05:47:35 -0800 (PST) (envelope-from Bob@Talarian.Com) Received: from Talarian.Com (Relent.Bob.whitebarn.com [216.0.13.50]) by smtp.whitebarn.com (8.9.3/8.9.3) with ESMTP id HAA38781; Tue, 13 Mar 2001 07:47:19 -0600 (CST) (envelope-from Bob@Talarian.Com) Message-ID: <3AAE24E6.9080802@Talarian.Com> Date: Tue, 13 Mar 2001 07:47:18 -0600 From: Bob Van Valzah User-Agent: Mozilla/5.0 (X11; U; Linux 2.2.12 i386; en-US; 0.8) Gecko/20010215 X-Accept-Language: en MIME-Version: 1.0 To: Ted Mittelstaedt Cc: pW , FreeBSD-Security@FreeBSD.ORG, FreeBSD-Questions@FreeBSD.ORG Subject: Re: Racoon Problem & Cisco Tunnel References: <000801c0ab8b$81d99ca0$1401a8c0@tedm.placo.com> Content-Type: multipart/alternative; boundary="------------080107090808010207030409" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --------------080107090808010207030409 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Ted, Loved the book--can't wait for the movie! This is a religious war that's been fought many times before. Since my last answer was too flip, I'll clarify my point of view. IPv4, IPv6, and NAT are all just tools that I have to apply with "business sense." NAT's not inherently evil, nor is IPv6. Their sensibility will change over time and depend upon the application. If I were shopping for DSL for "my mom," I wouldn't care if she got a public address or not. Reliability and good support (as a "little guy" can more often provide) would be more important. But when I'm shopping for DSL for a work-from-home, multicast protocol stack developer, a public address is a requirement. In fact, it's something I'll pay extra to get. For my business, IPSec is important and hence having at least one public address is important. My protocol developers have a few LANs at home and we happily use NAT there. I wouldn't pay extra to get enough address space to put public addresses on all their home lab machines. An ISP who won't give me at least one public address is just limiting where I can apply their service. An ISP who gives me one or more public addresses let's me pick the point at which I want to apply NAT. So in spite of my flip remarks, I hope you can see that I do use NAT--I just put it off to the last minute where it doesn't make business sense to avoid it. Bob Ted Mittelstaedt wrote: >> -----Original Message----- >> From: owner-freebsd-questions@FreeBSD.ORG >> [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Bob Van Valzah >> Sent: Monday, March 12, 2001 8:07 AM >> To: pW >> Cc: FreeBSD-Security@FreeBSD.ORG; FreeBSD-Questions@FreeBSD.ORG >> Subject: Re: Racoon Problem & Cisco Tunnel >> >> >> Yes. The five DSL setups with which I'm familiar all grant at least one >> public address per house. I believe all are static, but one might be >> dynamic. Interference with protocols like IPSec is one of the reasons >> why I'd make a public address a requirement when choising a DSL >> provider. When it comes to NAT, I'm with Vint Cerf--avoid it if at all >> possible. Let's hasten the deployment of IPv6. >> > > I'd agree with you if everyone that would have to do a renumber of a > large network from IPv4 to IPv6 had Vint Cerf's money. When your retired > like him with money coming out your arse-hole you can afford to make > irresponsible statements like that. > > Unfortunately, what people like him don't understand is that the burden of > renumbering the fabric of the Internet from IPv4 to IPv6 will fall largely > on people like me - who have thousands of customers and tens of thousands of > public IP numbers spread out among all of them - and who don't have the > money to support something this audacious. I can almost guarentee that > whatever ISP that I am working for when this finally happens is going to go > out of business, all it's going to do is put thousands of smaller to > medium-sized ISP's into bankruptcy and let people like AOL who have money > coming out their arse-holes virtually monopolize Internet access in the > world. > > Until I see the large organizations with Class A's tied up, give up those > numbers back to the pool, I'll fight any attempt to move from IPv4 to IPv6, > and most other ISP's that are out there are going to fight it as well. In > the meantime I'm pushing all my customers into using NAT. NAT is here to > stay and people that run around calling it an aberration are just proving to > the rest of us that they have absolutely no business sense. > > NAT has proven itself reliable and vital and idiot engineers that design TCP > protocols that assume everyone has a public IP number are just architecting > their own failures, and their protocol's subsequent minimizing by the > market. I have some sympathy for protocols like IPSec that came to be > during the same time - but organizational-to-organizational IPSec tunnels > don't have to pass through the NAT - they can terminate on it. But, anyone > doing a new protocol today is a fool if it can't work though a NAT. > > > > Ted Mittelstaedt tedm@toybox.placo.com > Author of: The FreeBSD Corporate Networker's Guide > Book website: http://www.freebsd-corp-net-guide.com > > > --------------080107090808010207030409 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit Ted, Loved the book--can't wait for the movie!

This is a religious war that's been fought many times before. Since my last answer was too flip, I'll clarify my point of view. IPv4, IPv6, and NAT are all just tools that I have to apply with "business sense." NAT's not inherently evil, nor is IPv6. Their sensibility will change over time and depend upon the application.

If I were shopping for DSL for "my mom," I wouldn't care if she got a public address or not. Reliability and good support (as a "little guy" can more often provide) would be more important.

But when I'm shopping for DSL for a work-from-home, multicast protocol stack developer, a public address is a requirement. In fact, it's something I'll pay extra to get. For my business, IPSec is important and hence having at least one public address is important.

My protocol developers have a few LANs at home and we happily use NAT there. I wouldn't pay extra to get enough address space to put public addresses on all their home lab machines.

An ISP who won't give me at least one public address is just limiting where I can apply their service. An ISP who gives me one or more public addresses let's me pick the point at which I want to apply NAT.

So in spite of my flip remarks, I hope you can see that I do use NAT--I just put it off to the last minute where it doesn't make business sense to avoid it.

   Bob

Ted Mittelstaedt wrote:
-----Original Message-----
From: owner-freebsd-questions@FreeBSD.ORG
[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Bob Van Valzah
Sent: Monday, March 12, 2001 8:07 AM
To: pW
Cc: FreeBSD-Security@FreeBSD.ORG; FreeBSD-Questions@FreeBSD.ORG
Subject: Re: Racoon Problem & Cisco Tunnel


Yes. The five DSL setups with which I'm familiar all grant at least one
public address per house. I believe all are static, but one might be
dynamic. Interference with protocols like IPSec is one of the reasons
why I'd make a public address a requirement when choising a DSL!

provider. When it comes to NAT, I'm with Vint Cerf--avoid it if at all
possible. Let's hasten the deployment of IPv6.


I'd agree with you if everyone that would have to do a renumber of a
large network from IPv4 to IPv6 had Vint Cerf's money.  When your retired
like him with money coming out your arse-hole you can afford to make
irresponsible statements like that.

Unfortunately, what people like him don't understand is that the burden of
renumbering the fabric of the Internet from IPv4 to IPv6 will fall largely
on people like me - who have thousands of customers and tens of thousands of
public IP numbers spread out among all of them - and who don't have the
money to support something this audacious.  I can almost guarentee that
whatever ISP that I am working for when this finally happens is going to go
out of business, all it's going to do is put thousands of smaller to
medium-sized ISP's into bankruptcy and let people like AOL who have money
coming out their arse-holes virtually monopolize Internet access in the
world.
!

Until I see the large organizations with Class A's tied up, give up those
numbers back to the pool, I'll fight any attempt to move from IPv4 to IPv6,
and most other ISP's that are out there are going to fight it as well.  In
the meantime I'm pushing all my customers into using NAT.  NAT is here to
stay and people that run around calling it an aberration are just proving to
the rest of us that they have absolutely no business sense.

NAT has proven itself reliable and vital and idiot engineers that design TCP
protocols that assume everyone has a public IP number are just architecting
their own failures, and their protocol's subsequent minimizing by the
market.  I have some sympathy for protocols like IPSec that came to be
during the same time - but organizational-to-organizational IPSec tunnels
don't have to pass through the NAT - they can terminate on it.  But, anyone
doing a new protocol today is a fool if it can't work though a NAT.!




Ted Mittelstaedt                      tedm@toybox.placo.com
Author of:          The FreeBSD Corporate Networker's Guide
Book website:         http://www.freebsd-corp-net-guide.com




--------------080107090808010207030409-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message