On Thu, Jan 17, 2013 at 11:01 AM, Lee Howard <Lee@asgard.org> wrote:
On 1/17/13 9:54 AM, "William Herrin" <bill@herrin.us> wrote:
On Thu, Jan 17, 2013 at 5:06 AM, . <oscar.vives@gmail.com> wrote:
The people on this list have a influence in how the Internet run, hope somebody smart can figure how we can avoid going there, because there is frustrating and unfun.
"Free network-based firewall to be installed next month. OPT OUT HERE if you don't want it."
I haven't heard anyone talking about carrier-grade firewalls. To make CGN work a little, you have to enable full-cone NAT, which means as long as you're connected to anything on IPv4, anyone can reach you (and for a timeout period after that). And most CGN wireline deployments will have some kind of bulk port assignment, so the same ports always go to the same users. NAT != security, and if you try to make it, you will lose more customers than I predicted.
Hi Lee, Then it's a firewall that mildly enhances protection by obstructing 90% of the port scanning attacks which happen against your computer. It's a free country so you're welcome to believe that the presence or absence of NAT has no impact on the probability of a given machine being compromised. Of course, you're also welcome to join the flat earth society. As for me, the causative relationship between the rise of the "DSL router" implementing negligible security except NAT and the fall of port scanning as a credible attack vector seems blatant enough.
It's not a hard problem. There are yet plenty of IPv4 addresses to go around for all the people who actually care whether or not they're behind a NAT.
I doubt that very much, and look forward to your analysis supporting that statement.
If you have the data I'll be happy to crunch it but I'm afraid I'll have to leave the data collection to someone who is paid to do that very exhaustive work. Nevertheless, I'll be happy to document my assumptions and show you where they lead. I assume that fewer than 1 in 10 eyeballs would find Internet service behind a NAT unsatisfactory. Eyeballs are the consumers of content, the modem, cable modem, residential DSL customers. Some few of them are running game servers, web servers, etc. but 9 in 10 are the email, vonage and netflix variety who are basically not impacted by NAT. I assume that 75% or more of the IPv4 addresses which are employed in any use (not sitting idle) are employed by eyeball customers. Verizon Wireless has - remind me - how many /8's compared to, say, Google? If you count from the explosion of interest in the Internet in 1995 to now, it took 18 years to consume all the IPv4 addresses. Call it consumption of 1/18th of the address space per year.
From my assumption, 25% of the addresses are consumed by non-eyeball customers who will continue consuming them at 1/(18*4)= 1/72 of the address space per year. Assuming that server ops still need that many addresses when acquiring them is not so close to free.
From my assumptions 75% * 0.9 = 67.5% of the addresses are currently consumed by eyeball customers who can convert to NAT. Match the previous paragraph's math at 49/72's of the address space recoverable at some cost that while not trivial is also not exorbitant.
Eyeballs were consuming at (1*3)/(18*4)= 3/72's per year but if only 1 in 10 needs a global address that slows to 3/720's. 13/720's per year consumes 490/720's after 37 years. 37 years. So, where am I wrong? Is it more like 1 in 5 customers would cough up an extra $5 rather than use a NAT address? The nearest comparable would be your ratio of dynamic to static IP assignments. Does your data support that being higher than 1 in 10? I'd bet the broad data sets don't. Is the current use pattern more like 50/50 between server users and eyeball users? That'd cut things closer to a decade and a half but what data I've glanced at from CAIDA, ARIN and the like doesn't seem to support a belief that eyeballs aren't the major direct user of IPv4 addresses. Perhaps consumption is accelerating, but a lot of that has been low-key hoarding during the past 5 years or so. Even with accelerating consumption we're still looking at a couple decades before we have to really scrape for IPv4 addresses. Perhaps I fouled the math itself. I've been known to miscarry a 1. All the same, the sky doesn't seem to be falling. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004