----- Original Message -----
From: "Matthew Palmer" <mpalmer@hezmatt.org> You're thinking too small -- it's not that individual TCP connections have problems, it's that the ability to solve a given problem using connections and UDP packets is badly constrained by a lack of end-to-end connectivity. The proof is fairly obvious in the number of hacks that have been deployed to try and get around NAT's inadequacies: Skype supernodes, STUN, all the various conntrack helpers in netfilters, etc etc etc.
At last, some meat. :-)
Now, if you decide that none of those applications are important to you, sure, you can firewall them off as appropriate. But the pervasive deployment of NAT means that the set of problems that can be solved is constrained, and of the problems that *can* be solved, the solutions tend to be more complicated, harder to implement, understand, and so on, which has a cost to the community (higher prices, less solved problems, whatever your desired metric may be). I think that's what Blake is getting at with his TotC.
Perhaps. I'm not sure that the collective importance of that difficulty outweighs the collective danger of making all nodes of the Internet *as it presently exists* publicly routable. I don't know whether it's occurred to people that if you make every node on the present day Internet routable, then *you've made every node on the present day Internet routable*; the number of machines subject to more or less direct attack goes up (by a jackleg estimate I've just now made up) by between 3 and 5 orders of magnitude. I make jackleg estimates all the time; I don't believe I've ever had to say "5 orders of magnitude".
Of course, I'm a tiny bit of a skeptic, as I really can't see how a stateful firewall can know which other connections / packets are related without a lot of the same dodgy shenanigans that goes on now, but at least if you've gotten rid of the 1-to-N address mangling a fundamental stumbling block is removed and people can get on and solve the remaining (tractable) problems.
That is problematic as well, isn't it? It speaks directly to the attack-surface comment I just made in another reply. I'm going to bed now, which will reduce the number of replies the "aw crap, is he really going to beat this dead horse again?" crowd will have to skip. :-) Cheers, -- jra