On Thu, 22 Apr 2010 07:18:18 -0400 William Herrin <bill@herrin.us> wrote:
On Wed, Apr 21, 2010 at 11:31 PM, Owen DeLong <owen@delong.com> wrote:
On Apr 21, 2010, at 3:26 PM, Roger Marquis wrote:
William Herrin wrote:
Not to take issue with either statement in particular, but I think there needs to be some consideration of what "fail" means.
Fail means that an inexperienced admin drops a router in place of the firewall to work around a priority problem while the senior engineer is on vacation. With NAT protecting unroutable addresses, that failure mode fails closed.
In addition to fail-closed NAT also means:
* search engines and and connectivity providers cannot (easily) differentiate and/or monitor your internal hosts, and
Right, because nobody has figured out Javascript and Cookies.
Having worked for comScore, I can tell you that having a fixed address in the lower 64 bits would make their jobs oh so much easier. Cookies and javascript are of very limited utility.
On the other hand, I could swear I've seen a draft where the PC picks up random unused addresses in the lower 64 for each new outbound connection for anonymity purposes. Even if there is no such draft, it wouldn't exactly be hard to implement. It won't take NAT to anonymize the PCs on a LAN with IPv6.
Might be this - "Transient addressing for related processes: Improved firewalling by using IPv6 and multiple addresses per host." by Peter M. Gleitz and Steven M. Bellovin (i.e. the Steven Bellovin who shows up on this list quite often) http://www.cs.columbia.edu/~smb/papers/tarp.pdf
* multiple routes do not have to be announced or otherwise accommodated by internal re-addressing.
I fail to see how NAT even affects this in a properly structured network.
That's your failure, not Roger's. As delivered, IPv6 is capable of dynamically assigning addresses from multiple subnets to a PC, but that's where the support for multiple-PA multihoming stops. PCs don't do so well at using more than one of those addresses at a time for outbound connections. As a number of vendors have done with IPv4, an IPv6 NAT box at the network border can spread outbound connections between multiply addressed upstream links.
On Thu, Apr 22, 2010 at 2:10 AM, Franck Martin <franck@genius.com> wrote:
http://www.ipinc.net/IPv4.GIF The energy that people are willing to spend to fix it (NAT, LSN), rather than bite the bullet is amazing.
A friend of mine drives a 1976 Cadillac El Dorado. I asked him why once. He explained that even at 8 miles to the gallon and even after having to find 1970's parts for it, he can't get anything close to as luxurious a car from the more modern offerings at anything close to the comparatively small amount of money he spends.
The thing has plush leather seats that feel like sinking in to a comfy couch and an engine with more horsepower than my mustang gt. It isn't hard to see his point.
Regards, Bill Herrin
-- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004