[AusNOG] IPv4 Exhaustion
Geoff Huston
gih at apnic.net
Fri Aug 1 14:17:45 EST 2008
After a decade of progressive NAT deployment, about the only applications
still doing the address in the payload thing are the brain dead dinosaurs. I
suspect that the list beings and ends with ftp these days, because if
you do it today your novel application is just going to be fatally broken and
will never manage to achieve any form of critical mass in broad use.
Which makes this form of "NATs break apps" argument no more than
an amusing furphy as the list of apps in that category appears to be
less than 2.
This entire "no more NATs" argument for IPv6 is one that is based more
in misguided nostalgia than true requirement, because if the net was ever
going to break with NATs it would've done so long before today.
It would've been far far better if this entire sales effort for IPv6
had stuck to the facts from the outset, instead of venturing into
what at times has been excessive hype and emotive nonsense, but thats
now pretty much water under the bridge. Like it or not, we
are now faced with what looks like a decade of dual stack transition,
and making IPv4 last for another decade is going to have to make NATs
sing and dance to levels that are far far more intense and far broader
than today if we want to head towards IPv6 as the foundation of the
Internet.
And if you want us to head into the realm of application level relays
instead, then thats a future that simply spins us back to the 1980's,
in which case those of us who are after some future for the Internet
are pretty much stuffed, as that future really is the Death of the
Internet (tm).
So if it is to be a choice, then choose carefully.
Chris Chaundy wrote:
> It’s a while since I’ve had to deal with this, but as I understand it,
> there are protocols that embed addressing and port information in
> payloads which need to be fiddled if there is/are NAT(s) in the path.
> If the extended address space offered by IPv6 allows us to escape from
> the NAT ‘functionality’ (and we just have firewall security), then there
> is no need for any fiddling.
>
>
>
> Of course, as Macca pointed out, proxying will probably be the way
> things will go for most applications in the future anyway.
>
>
>
> -----Original Message-----
> *From:* Matthew Moyle-Croft [mailto:mmc at internode.com.au]
> *Sent:* Friday, 1 August 2008 11:07 AM
> *To:* Chris Chaundy
> *Cc:* ausnog at ausnog.net
> *Subject:* Re: [AusNOG] IPv4 Exhaustion, APNIC EC, and James is a nice
> bloke ; -)
>
>
>
> Stateful firewalls (the solution touted as required for CPE) still
> appear to require an understanding of the protocols going through them
> - to understand the "state" of a protocol and what connections
> can/should be opened up.
>
>
>
> Remind me then how the protocol tweaking will decline?
>
>
>
> MMC
>
>
>
>
>
> On 01/08/2008, at 10:08 AM, Chris Chaundy wrote:
>
>
>
> A further comment on this topic - I agree entire on the comments
> regarding accessibility versus addressability. One of the problems with
> NAT is all the tweaking needed for some protocols that 'break the rules'
> as far as layering of protocols go by embedding information about lower
> layers in higher layers which leads to complexity which inevitably leads
> to bugs.
>
> While IPv6 is may problematic for some of these protocols, it is a
> problem that will have to be solved, and once solved, NAT (and the
> tweaking) will no longer be necessary when we have sufficient address
> space (well in the perfect world anyway :-). Long live the KISS
> principle...
>
> -----Original Message-----
> From: ausnog-bounces at ausnog.net <mailto:ausnog-bounces at ausnog.net>
> [mailto:ausnog-bounces at ausnog.net] On
> Behalf Of Mark Newton
> Sent: Friday, 1 August 2008 8:51 AM
> To: Robert Brockway
> Cc: ausnog at ausnog.net <mailto:ausnog at ausnog.net>
> Subject: Re: [AusNOG] IPv4 Exhaustion, APNIC EC, and James is a nice
> bloke ;-)
>
>
> On 01/08/2008, at 1:11 AM, Robert Brockway wrote:
>
>
>
>> Please excuse me if I'm wrong but it seems like you are equating
>>
>> 'publically accessible' to 'publically addressable'. They need not
>>
>> be the
>>
>> same thing as per earlier parts of the thread.
>>
>
> There's a certain amount of cross-purposes discussion going on here.
>
> I don't think anyone is equating the two issues in the way you've
> described. It might be useful for you to assume that those in this
> thread who have taken a contrary view have a full and complete
> understanding of the problem and simply disagree with you.
>
> Let me expand on it just slightly, by way of illustration.
>
> Lets say you have some firewall code in your CPE. That's something
> that controls "accessibility."
>
> And lets also say you have some NAT code in your CPE. That's something
> that controls "addressability."
>
> Flows passing through the CPE are NAT'ed (re-addressed), and also
> passed through the firewall. That seems to be the typical way that
> most CPE works; Whether you're talking about a Cisco or a Billion,
> the stateful inspection configuration stanzas and internal code paths
> are different beasts.
>
> Now -- Lets assume you're using cheap and nasty CPE that has
> firmware that's of, shall we say, variable quality.
>
> If the firewall is buggy, it'll incorrectly block some traffic and
> incorrectly pass other traffic. The one Bevan is worried about is
> incorrectly passing traffic to his fridge -- i.e., making an
> incorrect decision about whether his fridge should be accessible.
>
> Separately:
>
> If the NAT code is buggy, it'll incorrectly translate inside
> addresses to outside addresses. The degenerate, almost inevitable
> case is that devices on the "inside" won't have an network access
> due to NAT bugs.
>
> Now consider each facility being present or not present individually,
> and consider the failure modes.
>
> In the presence of bugs on a device that has NAT and no firewall,
> devices inside your network won't have network access.
>
> In the presence of bugs on a device that has a firewall and no
> NAT, incorrect decisions regarding accessibility will be made and
> Bevan's fridge will conceivably be reachable from the outside.
>
> In the presence of bugs on a device that has a firewall and NAT,
> incorrect decisions regarding accessibility won't matter very
> much because nothing on the inside is addressable, or, consequently,
> reachable; and NAT failures will -still- cause devices inside
> your network to not have network access.
>
> So -- although NAT != security, what NAT *does* do is make your
> firewall fail-safe. The preference in the event of a bug when
> NAT is present is to deny access. The preference in the event of
> a bug without NAT is to either incorrectly permit or incorrectly
> deny, depending on the bug. NAT is, therefore, a net gain, and
> a marginal improvement on the quality of the security provided
> by the solution.
>
> Now, I'm not emotionally attached to NAT, and I don't think its
> inevitable culling in an IPv6 world represents a huge problem. But
> I think you're making a mistake by suggesting that taking away
> NAT makes no difference because protecting the network is the firewall's
> job. We don't live in an ideal world, and some CPE firmware is so
> badly tested that it won't even boot, so I don't think you can trust
> the firewall. So what does that leave you with?
>
>
> I would not allow my
>
>> appliances to be publically accessible but I'm fine with them being
>>
>> publically addressable.
>>
>
> What about when your firewall is buggy? Is it ok then?
>
>
> - mark
>
> --
> Mark Newton Email:
> newton at internode.com.au <mailto:newton at internode.com.au>
> (W)
> Network Engineer Email:
> newton at atdot.dotat.org <mailto:newton at atdot.dotat.org> (H)
> Internode Systems Pty Ltd Desk: +61-8-82282999
> "Network Man" - Anagram of "Mark Newton" Mobile: +61-416-202-223
>
>
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at ausnog.net <mailto:AusNOG at ausnog.net>
> http://lists.ausnog.net/mailman/listinfo/ausnog
> _______________________________________________
> AusNOG mailing list
> AusNOG at ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>
> --
> Matthew Moyle-Croft Internode/Agile Peering and Core Networks
> Level 4, 150 Grenfell Street, Adelaide, SA 5000 Australia
> Email: mmc at internode.com.au <mailto:mmc at internode.com.au>
> Web: http://www.on.net <http://www.on.net/>
> Direct: +61-8-8228-2909 Mobile:
> +61-419-900-366
> Reception: +61-8-8228-2999 Fax: +61-8-8235-6909
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
More information about the AusNOG
mailing list