Mailinglist Archive: opensuse (1837 mails)

< Previous Next >
Re: [opensuse] Moving to IPv6
  • From: "Brian K. White" <brian@xxxxxxxxx>
  • Date: Fri, 10 Sep 2010 10:30:39 -0400
  • Message-id: <4C8A410F.5010709@xxxxxxxxx>
On 9/10/2010 8:37 AM, Anton Aylward wrote:
Per Jessen said the following on 09/10/2010 02:23 AM:
James Knott wrote:

Anders Johansson wrote:
Maybe you're not really listening to yourself, but that is exactly
what you're saying. "With IPv6, I don't have to open up multiple
ports in the firewall to get to internal machines, everything is
directly available".

I suspect you're misreading something. Our point is that with NAT,
when you want to access multiple computers with the same protocol, you
have to resort to non-standard ports or ssh relaying.

And _that_ is the crux of "NAT is broken in a number of ways"? James, I
guess it's matter of wording, but to me the above doesn't mean broken,
at worst it's a very slight disadvantage.

Indeed. From the application programmer's POV its just another API
parameter.

Like I started out saying, I think that NAT, despite rumours of "being
broken in a number of ways", works remarkably well.

It fulfils the objectives of RFC1918 for devices that do not unfettered
peer-to-peer access across the 'Net very well. As a number of us have
pointed out, for SMBs local access dominates.

Per, I'm replying to your post but this isn't meant to sound directed at you personally. Every instance of "you" below is figurative.

If you don't believe your smb needs anything nat breaks, it just means you don't understand what you're talking about. Luckily, other people in key postions do and have seen to it that ipv6 got invented and then implemented in all the major hardware and software by now. You think they did all that for the fun of it? You think it maybe makes anyone a bunch of money? It costs everyone. MS didn't sell more copies of Windows because they added ipv6. Cisco didn't sell more routers because they added ipv6. They all knew there was simply no choice. But somehow, for you, miraculously, it's not necessary? What else that breaks things for everyone else but works for you don't you care about? Does your car suck down gas at 6 miles per gallon? Are your refrigerator and air conditioners and heaters all nice sturdy reliable indestructible 1950's models that work great for you, while burning enough power/fuel to run 3x as many modern units? How many houses go cold to support yours because "it works for you"? Do you smoke and talk on cell phones in restaurants? Do you park diagonally across two parking spaces just so no one can park close enough to risk scratching your car? Did you print a fake handicap tag so you can always park right in front of every door? So convenient! I'm guessing no to all of the above. No one here seems to be anything like that sort of jerk at least about things they understand. Try to understand that this is somewhat like that.

Also, there is no such distinction as "good for admins" vs "good for users" that which is good for the providers of goods or services IS good for the end consumers. The reverse is equally true. How can you possibly think these two things are in any way disconnected? If I can't deliver you a service or application feature, or can only do a crappy limited, inefficient, and worst of all unreliable job of it, how is that "good for users"?

By insisting on using NAT in situations where it's not actually required you shoot yourself in the foot, because developers can not then develop the cool new things that NAT makes impossible. Whole classes of things are just impossible if it's known that lots of nat is going on in general between any two machines. Sure there are places where nat might still be useful, but THOSE situations are the exotic contrived ones, not the other way around. It was a useful hack for a while, a slick thing even, but it was never a sane thing, just a necessary evil to work around an even worse problem. A step along the way of development. Not a destination.

Just because you're used to something, and just because a lot of other people have been forced to bend over backwards to deal with this thing you're used to and hide it's problems from you by all manner of other hacks and kludges that turn simple needs into complex problems with no actually robust solutions let alone efficient ones, doesn't make it not utter garbage. As a sys admin and app developer and integration specialist, I spend ridiculous amounts of time trying to come up with ways to make things work across nat boundaries that should be dead simple. All that wasted time and lost productivity, progress that could have happened but didn't because I was too busy banging my head against broken network topology, because "it works for me" and "it's you admin's problem not mine". Maybe we admins & developers should just stop bothering? It will certainly matter to you then.

The security arguments are complete nonsense. Being able to sanely address things has absolutely nothing to do with security. I don't have to know how to address remote internal natted machines to do harm to them. As in pretty much every other area of life, destruction is far easier than construction. Nat does not much hinder destruction but does hinder construction. At the same time, sane functional addressing does not prevent or even hinder security nor does it help destruction. In fact it could INCREASE security if we went all the way with it. It wouldn't bother me too much if we made it a rule that NAT was not allowed anywhere on the internet. Build some sort of checksum into the base protocols so that *real* NAT (proxies would still be possible, and that's just fine) would not be possible without breaking the checksum, and thus ensure that no machine anywhere can spoof it's activities. No more spam! No more dictionary attacks! No more slow distributed botnet attacks! No more phishing ages! Every action would be immediately traceable directly to it's source even through indirect means like worms in emails and web pages. Nah, what do we care about that stuff?

We're not saying everyone drop everything and go replace all your hardware and software now(*). Other people have already seen to it that mostly ipv6 will have made it's way into most of your stuff through natural attrition without you having to do anything. We're just really disgusted by the attitude that ipv6 was invented for no purpose and should just be ignored and we should just use nat even more than we already do instead. Don't offer that kind of "advice". It's backwrds and destructive.

Those links that have been posted over and over actually do point out simple and inarguable problems. Why is it so hard to understand? Pick any single one of those problems, just one, and it's enough to call the whole concept of nat a broken thing that should only be used in the oddest of special circumstances, not as a pervasive thing everywhere like it is today. Yet there are several, not just one.

Todays overuse of nat is just the classic trying to solve all problems with a hammer because you have a hammer.

--
bkw
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >
This Thread