[AusNOG] IPv4 Exhaustion, APNIC EC, and James is a nice bloke ; -)

Robert Brockway robert at timetraveller.org
Fri Aug 1 01:33:03 EST 2008 

On Sat, 19 Jul 2008, Michael Kratz wrote:

> And, whilst its easy for people to point and say, well, use a firewall.
> The average Joe wouldn't have a clue, nor care, nor understand the
> implications. They'll install "Norton" on their computer and assume
> everything is dandy and they're "protected".

The way I see it the low level consumer devices will just start providing 
default-deny firewalls (which some do anyway) instead of a NAT which is 
turned on by default.   No great leap required.

> Yes of course it's 'bad' to 'rely' on it, but the reality is, outside of
> the tech savvy community, most common folk don't know and don't care.

I dislike the "they don't care" argument as I believe it is based on 
faulty logic.  They want their service to work and they want their private 
documents (eg, tax records) to stay private.  In a very real way they do 
care.  They are ignorant of the risks but that is not the same thing as 
"not caring".

> They just want to plug into the "Internets" and have it work.

That isn't all they want but the requirements are often not verbalised. 
If you ask if someone minds their personal data (tax records, love 
letters, whatever) being posted in public I'm going to go out on a limb 
and say most people would object to this.

> The other issue that comes to mind, is that NAT makes portability for
> small businesses and home users, dead set easy. They don't need to
> renumber their entire LAN every time they shift ISPs if it's behind NAT.

Easy renumbering is a requirement of IPv6 remember :)

Seriously, the size of the IPv6 address space are going to force a few 
changes.  Right now a lot of small organisations don't use DNS internally 
(a terrible practice, but there it is).  Under IPv6 humans will no longer 
have the luxury of remembering many IP addresses and internal DNS is going 
to become essential.

A bit off the track but tying IP addresses into config files is an example 
of what I call lack of "technological maturity"[1].  Arguments can be made 
that plenty of organisations will making mistakes like this out of 
ignorance and there isn't anything we can do about it.  My position is 
that as networks get more complex the luxury to make mistakes like this 
will go away and organisations that don't keep pace with technological 
maturity will suffer the consequences.  To me this isn't about a 
theoretical "best practice" but rather about practical necessity.  So 
organisations that can't easily renumber internally may well end up with 
problems that can't be solved by a simple NAT at the border.

Cheers,

Rob

-- 
"With sufficient thrust, pigs fly just fine..."
 	-- RFC 1925 "The Twelve Networking Truths"

More information about the AusNOG mailing list