On Tue, 2 Oct 2007 23:20:54 -0400 "William Herrin" <herrin-nanog@dirtside.com> wrote:
On 10/2/07, Randy Bush <randy@psg.com> wrote:
During early phase of free pool exhaustion, when you can't deliver more IPv4 addresses to your customers you lose the customer to a hosting provider who still has addresses left. So sorry. Those will be some nasty years. Unless you're Cogent, Level3 or one of the others sitting pretty on a /8. They'll be in phat city.
this is a very real and significant problem. a very small fraction of the arin membership holds the vast majority of the address space. it would be interesting to ask arin to give us the cdf of this.
<snip>
I'd love to have an Internet where all firewalls were packet filters. But that's not my call. That's the call of hundreds of thousands of network security officers who have NAT written in stone at the core of their security process. Tying NAT's abandonment to IPv6's deployment won't change their minds but it will doom IPv6.
The value of network perimeterisation as a security measure, of which NAT is a method, is being questioned significantly by network security people. The obvious example of why it is being questioned is when the CEO brings their laptop inside the "gooey" centre, bypassing the "hard shell" corporate firewalling/NAT box, and infecting all the devices on the corporate network with the malware they've caught from their home broadband connection. "The de-perimeterization solution Solution While traditional security solutions like network boundary technology will continue to have their roles, we must respond to their limitations. In a fully de-perimeterized network, every component will be independently secure, requiring systems and data protection on multiple levels, using a mixture of * encryption * inherently-secure computer protocols * inherently-secure computer systems * data-level authentication" http://www.opengroup.org/jericho/ Having found out about this project, I spoke to a friend of mine in the local state government (around 10 000+ public servants) i.e. not a big one, not a prominent one, and not likely to be a early adopter of different IT security models. They're moving to this model in the very near future, because they have to.
So if more addresses was "thoroughly mitigated by NAT", when were these problems that NAT creates fixed? http://www.cs.utk.edu/~moore/what-nats-break.html
Many of those never were meaningful problems and most of the rest have been obsoleted by the changing reality of network security on the Internet. Things like controlling the source port meant something once upon a time, but they have no place in a modern security infrastructure. That would be true with or without NAT.
The -real- problems with NAT can be summed up in two statements:
1. NAT makes it more difficult to engage in certain popular activities that strictly speaking are against the TOS.
2. NAT makes logging and accountability more difficult.
Regards, Bill Herrin
-- William D. Herrin herrin@dirtside.com bill@herrin.us 3005 Crane Dr. Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
-- "Sheep are slow and tasty, and therefore must remain constantly alert." - Bruce Schneier, "Beyond Fear"