Internet 6.0

Technology Review ^ | 7 JAN 2004 | Simson Garfinkel

[rdb3]

The Penguin Ping.

Wanna be Penguified? Just holla!

Got root?

[Prime Choice]

Excellent article! Thanks for posting that.

[reed_inthe_wind]

"But for all of its apparent utility, NAT is really the devil. It’s a Faustian bargain, a technology that appears to answer all of a network engineer’s problems, but ultimately causes long-term troubles that are far more profound than the ones that it purports to solve."

This statement boggles my mind. Will each device have its own security policy settings. Who (or how many administrators) will be authorized to change these settings. How will a security officer ensure that all the security policy settings are in line with the written security policy. Common sense says that the configuration for most devices will be standardized and manged remotely. Thus the benefit over NAT will be unmeasurable, while the risks may multiply.

[Criminal Number 18F]

Got root?

God, root, what is difference?

-Pitr

d.o.l.

Criminal Number 18F

[sourcery]

NAT-analougous technology and IPv6 are not intrinsically mutually exclusive.

The cost of routing hardware will continue to inexorably fall.

All the author's arguments against IPv6 are tactical, not strategic. He'll be right over the short to intermediate term, but wrong over the long term.

[Liberal Classic]

A bit of an alarmist article in my opinion, most people won't know or care about the switch from v4 to v6.

Every computer on the Internet needs to have its own Internet address...

Not strictly true, since many computers connect to the internet through address translation. In fact, the reason we haven't run out of addresses and are still using v4 today is because so many computers live behind firewalls without real-world network addresses. Most computers on corporate intranets don't need real world addresses anyway.

NAT is a *good* thing, not the devil that is to be worked around with IPv6 as suggested by the tone of the article. Having a real-world address does have drawbacks. Does anyone have cable-modem notice how many scans and attacks there are? I have a home/small office router at home that does address translation, and I have yet to be unable to do someting on the internet that I want to do. Game-playing, file sharing, chatting, etc, I've had no problems with NAT. In fact, I recommend that people who want to get cable or DSL buy one of the consumer-grade routers. No cracking attempt has yet succeeded in getting through, and believe me judging from the honey-pot I left out on my DMZ last year, there are plenty of kids on broadband out there looking for unprotected computers.

[antiRepublicrat]

more friendly to peer-to-peer-based copyright violation systems

And this is a good thing. Aside from the legal uses (downloaded a Linux ISO on BitTorrent lately?), it is the P2P phenomenon that pushed the RIAA into now allowing what the consumer wants in the form of online download services, and in the future will probably push them to a more realistic business model.

but IPv4 will not die in the United States—or even in the federal government.

The federal government mandated IPv6 compatibility a long time ago, giving ample time for old equipment to replaced with compatible equipment. They'll be ready when it hits.

[Billthedrill]

Concur. I plan on maintaining my NAT after implementing IPv6. Too dang many script kiddies wanting to play around out there.

[antiRepublicrat]

No cracking attempt has yet succeeded in getting through, and believe me judging from the honey-pot I left out on my DMZ last year, there are plenty of kids on broadband out there looking for unprotected computers.

My Linksys wireless router is sweet, and for a very low cost. I did the same thing and found I was being positively hammered at times, so now everything just sits behind it and I have no problems. It's also locked down tighter than Hillary's butt.

[N3WBI3]

The result of this decision made nearly 30 years ago is that the Internet simply cannot handle more than 232 or 4,294,967,296 devices. For a variety of technical reasons, the actual number of devices is a lot smaller than that—far closer to 2 billion, in fact.

What has been left out is that due to NAT technologies the demand for IP addresses has actually been rather flat as of late. My office has hundreds of workers who all get on the net, send mail, ftp files, ... Because of VPN and NAT my company has less than 20 IP's we need for the outside world (could be shaved a bit lower than that).. A more practical solution to any issues is breaking up the Class A ranges and not letting companies like Apple keep so many real addresses..

[Arthalion]

There was an article I read a few days ago that phrased it well: The Internet was designed as a peer to peer network, with all hosts equal and capable of both sharing and receiving information. NAT changes this concept by partitioning us off from the Internet. NAT users are no longer equal peers on the Internet, but are relegated to the role of the consumer. Does this matter? Yes, because the pervasiveness of NAT technology is hindering the development of new technologies and forcing the abandonment of old ones. In 1997, for example, I used a software tool to talk over the Internet in realtime to my sister in Missouri and an old college buddy in Tampa. No long distance bills or telco charges involved. Today, that software no longer works, and there are no modern equivalents that let me "call" directly to their computer. Why? Because both of their ISP's now use NAT on their connections. They are capable of initiating a call to me (my computer still has a fixed ip and a dedicated connection), but I can no longer call them simply because their ISP's didn't have enough IP's to go around. Internet telephony, any other apps that require a true peered connection, will never catch on while NAT technology remains ubiquitous.

Besides, any security guy will tell you that relying solely on the firewall to protect you is a sure way to get hacked. Hopefully MS and the Unix/Linux developers will figure out a way to make IPSEC policy easier to understand and implement, so that home users wont have to rely on primitive hacks like NAT to protect them.

[LowOiL]

The code that lets computers talk on an IPv6-enabled network is now built into the current versions of Windows XP, MacOS, Linux, and many forms of Unix

They just want my 98 second edition to be upgraded. I will hold out until all other avenues are exhausted.

[CyberCowboy777]

NAT is around for the long haul - simply stated it allows for control.

You have to understand that many "Internet" Guys do not see the world from the Local Admin position.

This argument has gone on in our Cisco classes, between Service providers and Admins.

[CyberCowboy777]

Not sure what you sisters ISP is doing here, any broadband connection I have ever worked with comes with at least one Internetwork IP. A Router is then used to give the local admin, not the ISP control of what comes and goes out.

VOIP is here and used in conjunction with NAT all the time.

[Ichneumon]

They just want my 98 second edition to be upgraded. I will hold out until all other avenues are exhausted.

I felt the same way -- until I bought a new computer that already had XP installed. Now that I've had a chance to use it for several months, I vastly prefer it over 98SE, and look forward to upgrading my other computers.

[Liberal Classic]

I would disagree that address translation breaks the design of the internet as a peer to peer network. For one thing, the unassigned blocks of networks (10.X 192.168.X 172.16.1.X) have existed since the beginning of the internet. It was assumed from the beginning that there would be "partitioned" or unrouted networks. Secondly, NAT does not break peer-to-peer for the simple reason that it does not disallow hosts on either side of a translated address from acting as a peer, or client or server for that matter. All it does is re-write addresses, a form of routing. Inbound and outbound ports are preserved so that packets will be routed to the correct hosts. I don't consider address translation an ugly or primitive hack, because headers (packet and email) are re-written all the time. Perhaps the original design of the internet protocol assumed that the address in a header would not be re-written, but that does not mean address translation does not have a useful purpose.

Address translation is not firewalling. I would speculate that your problem with your IP telephone application is a firewalling issue not one of address translation. I know some people who use voice over IP but often higher ports are blocked by firewalls and therefore folks can't talk with each other. Properly configured, address translation (or port translation) users should have no problem using VOIP. This is not a problem due to address translation, this is due to too-restrictive firewall rules. Don't blame address translation. Besides, if an ISP is running out of addresses, then it isn't using them wisely. Good ISPs conserve addresses, careless ISPs who don't are often refused new networks when the time comes for more.

I would agree that address translation is not a replacement for firewalling, and a firewall is not the end all of computer security. Since most home models include features of firewalls and address translators, people who use them are largely protected from the outside, unless of course, they open themselves up to all traffic.

[adam_az]

This is a terrible article, full of factual errors.

For example:

"One transition strategy calls for most computers to simultaneously have both IPv4 and IPv6 addresses. The problem with this approach is that there’s never a good time to have people start deploying systems that are only V6—that’s because somewhere, somebody is going to have a machine that’s V4 only, and they won’t be able to communicate with you."

I guess the author never heard of IETF RFC 2529, dated March 1999 (http://www.ietf.org/rfc/rfc2529.txt)

"Transmission of IPv6 over IPv4 Domains without Explicit Tunnels"

Abstract

This memo specifies the frame format for transmission of IPv6 [IPV6]
packets and the method of forming IPv6 link-local addresses over IPv4
domains. It also specifies the content of the Source/Target Link-
layer Address option used in the Router Solicitation, Router
Advertisement, Neighbor Solicitation, and Neighbor Advertisement and
Redirect messages, when those messages are transmitted on an IPv4
multicast network.

The motivation for this method is to allow isolated IPv6 hosts,
located on a physical link which has no directly connected IPv6
router, to become fully functional IPv6 hosts by using an IPv4 domain
that supports IPv4 multicast as their virtual local link. It uses
IPv4 multicast as a "virtual Ethernet".

[adam_az]

I hacked my router.

The manufacturer had enabled a tftp server in the router. I downloaded a new OS for my router (the "upgrade" zipfile) and looked at it with the UNIX utility "strings." I found some interesting path names. A little fiddling around with the tftp client, and I was able to pull down the configuration file. Amazingly, it contained the router password in plaintext.

In other words, if the router was used in a shared environment such as a small office, a user could get the password from the router, then login to the web interface and reconfigure the firewall to allow ingress to previously protected hosts, or turn off the WEP key and open up the wireless interface to anyone in the neighborhood, etc.

A little bugging of the manufacturer, and they fixed it.

[Britton J Wingfield]

I plan on maintaining my NAT after implementing IPv6.

Hell yes I'm keeping NAT even with IPv6. The author can dangle his stuff out into the internet if he wants, I'm keeping mine nice and safe.

I want autonomy over my choice of internal addresses, too. The author is going to end up gettign issued new ones from whatever beurocracy every time he needs to make a change, or moves to a new building.