Text 10512, 243 rader
Skriven 2013-09-28 12:02:21 av mark lewis (1:3634/12.0)
Kommentar till text 10478 av Michiel van der Vlist (2:280/5555)
Ärende: IPv4 and IPv6
=====================
On Thu, 26 Sep 2013, Michiel van der Vlist wrote to mark lewis:
MvdV>> My perimeter firewall in my router works just as well on IPv4
MvdV>> as on IPv6, despite the fact that for IPv6 there is no NAT.
ml> you are using a router box that has not really need needed...
ml> marketing foisted routers on everyone and got them to believe that
ml> they have been required for their connections when they have not in
ml> the huge majority of cases...
MvdV> Nobody "foisted" a router on me.
sure... marketing and sales "forced" or "foisted" them on everyone with their
talk... that and the removal of the other devices that were all that was
needed... but i'm not going to argue semantics with you... suffice it to say
that a modem feeding a switch or a hub is all that is really needed... with a
firewall in between them, of course...
i'net -> modem -> firewall -> hub_or_switch -> internal_machines
routers are overkill for most all SOHO/Home usage... especially considering
that they are mostly doing little more than the job of a switch...
MvdV> And I know that there is more than one way that leads to Rome.
yes, there is...
MvdV> But I find that small piece of dedicated hardware - that needs
MvdV> just a few Watts - a convenient and economic way of interfacing
MvdV> my LAN to the InterNet.
agreed to a point...
MvdV> Electricity is expensive here. I do not need another 100+ Watt
MvdV> crate to run 24/7 like you use an old machine for the purpose...
my firewall box doesn't use 100+ watts... currently, with 2 machines, three
modems of various types (analogue and digital), a sound system for the
computers and a monitor, my wattage monitor shows only 180 to 200 watts being
consumed... most of that is due to the 19inch CRT that is being used via KVM
for four machines (those two and two others on another power supply unit)...
the bricks for the modems and sound system are always eating power even when
the devices are powered off...
MvdV>> NAT is a kludge that breaks end to end connectivity.
ml> i do not agree... especially with it being a kludge...
MvdV> Of course it is a kludge. The internet was originally designed
MvdV> around the idea that every machine had its own globally unique IP
MvdV> address. Well, that model broke down because there were not
MvdV> enough addresses as we all know and so they came up with the idea
MvdV> to have more than one machine share an IP address and NAT was
MvdV> born.
MvdV> But a kludge it is. A kludge to circumvent the shortage of
MvdV> addresses. The /proper/ way to deal with the problem would have
MvdV> been to migrate to IPv6 fifteen years ago...
again, i disagree... there is no real and absolutely necessary reason for each
and every machine and/or device to have its own IP address... servers? sure but
only to a point which we see and use every day... domain names, on the other
hand, and a phonebook (DNS), on the other hand, are needed and highly
desirable... especially since humans cannot remember numbers as well as they
can strings of characters making up words or phrases...
ml> as for breaking end to end connectivity, the hacker infestation
ml> would be much much worse than it already is without it...
MvdV> A decent firewall will do the same or a better job that a NAT.
MvdV> Without giving up end to end connectivity.
again, i disagree... a firewall's job is to protect the network by allowing or
blocking access... it has nothing to do with routing or address translation...
i fear you are being confused by marketing talk again :/
ml>> all that i have to do is to make sure that my internal networks
ml>> are not using the same IP range as my carrier is using...
MvdV>> When you have NAT behind NAT, some things will not work any
MvdV>> more...
ml> sure they will... i maintain numerous configurations that are double
ml> and even triple NAT...
MvdV> Than obviously you are not using those applications that have
MvdV> problems with it.
name some... i know that VPNs work quite well and easily behind multiple
NATs... one simply must pay attention to networking 101 on all involved devices
that one has control over...
ml>> i pay for a connection to the internet, period... not a
ml>> connection per device... it is none of their business what or how
ml>> many deivces i have...
MvdV>> With IPv6 they will have no more or no less information on the
MvdV>> number of devices than with IPv4.
ml> bullshit... with IPv6, every device will be given an IPv6
ml> number... that, in itself, will give them the information with
ml> which to charge for each and every device connected...
MvdV> As there can - and often will - be more that one IPv6 address
MvdV> per device,
whatever for??
MvdV> there is not a 1:1 relation between the number of IPv6 addresses
MvdV> in use and the number of devices. Windows uses randomized
MvdV> addresses for outgoing connections.
well, we all already know how broken winwhatever is ;) ;) ;)
ml> yet again, it all comes down to corporate greed... it will happen
ml> if users allow it to happen... like sheep to the slaughter...
MvdV> So don't you have this thing called "competition" over there?
competition has nothing to do with corporate greed... not the greed of
separating you from your $$$... competition is another form of greed but only
loosely...
MvdV> Here it has been common practise for years to connect many
MvdV> devices to a household InterNet connection. The ISPs know this
MvdV> and encourage it. There has never been any indication that ISPs
MvdV> want to charge per device.
that's over there... over here things are much different... ISDN in the US is a
perfect example... it is still priced so high as to make it unaffordable in the
average SOHO/Home environment...
MvdV> And if they tried they would not get away with it. The first one
MvdV> to try would lose customers to the competition....
that happens here when folks finally figure out or otherwise find out what it
being done...
MvdV>> I think your fears are unfounded. If your ISP wants to charge
MvdV>> you on the number of devices, they can do that now. Why should
MvdV>> they change that policy when you go IPv6?
ml> they can NOT do that now because they have no way of knowing or
ml> counting my devices...
MvdV> Or so you think...
there is nothing in the packets on the other side of the NAT that indicate that
they originated from anything more than one single machine... of there is,
perhaps you can point it out to me? i definitely do not see such in the
thousands of raw TCP/IP packets i review on a daily basis while working on
IDS/IPS rules to protect my networks...
MvdV>> CGNAT won't give you access to the port forwarding tables. No
MvdV>> more servers...
ml> i know this... but it is, again, no different than NAT that is in
ml> use now... as far as servers go, there again is yet another reach
ml> into your pockets to extract more of your $$$...
MvdV> IPv4 adresses have become a scarse commodity. So the price goes
MvdV> up. That is not greed, that is the Law of supply and demand.
it is greed because there are corporations who are hoarding IPv4 addresses...
consider, for example, what a company of 1000 with 2000 machines really needs
with 16000 or more addresses...
PQ>>> We would have to surrender our public IPv4 address first, of
PQ>>> course.
ml>> depending on one's service, they may never know they no longer
ml>> have a WAN IPv4 address...
MvdV> Indeed, my auntie Beatrice may never notice because she just
MvdV> does a bit of browsing and some e-mail.
yep... for her, a shared IP is no problem and so she and others like her are
ignorant to what is really going on... folks like you and me, on the other
hand, see a lot more and we know more about what it going on and how things
work... especially those of us who work deep in the guts of this technology
every day... those technical folks who sit on the sidelines and watch are not
as ignorant as aunt beatrice but they are (likely?) ignorant to the real deeper
workings which are exposed to those digging into the packets and scrutinizing
the traffic every day...
MvdV>> Every one running a server will soon find out...
ml> it won't stop the servers from running and doing their work...
MvdV> That won't do much good if they are unaccesseable...
:) true but the are still running and doing their work :)
ml> it will only stop those on the outside of the local carrier from
ml> being able to make the connection...
MvdV> I suspect it will be limited to those on the same subnet, which
MvdV> may be a much smaller group than the entire client base of that
MvdV> ISP.
"subnets" are so passe'... today's world may use the term but it is not the
same as it was... CIDR is the way most things are separated today... netmasks
are limited but that, too, is another term still used for simplicity and to
ease the understanding of those not in the know...
MvdV> Apart from the difficulty of knowing the IP address of the
MvdV> server...
MvdV>> 100.64.0.0/10 is reserved for CGNAT. If ISPs use that range,
MvdV>> there will not be a conflict with LAN's using RFC1918
MvdV>> addresses.
ml> true... however, i have (and many others as well) been connected
ml> to ISPs that use RFC-1918 for all their client connections... this
ml> CGNAT is no different other than being restricted to another
ml> address range... not to mention that that address range is pretty
ml> small when all things are considered
MvdV> It is large enough. CGNAT does not mean that all customers of
MvdV> that same ISP will share one and the same IP. The number is
MvdV> limited because the number of ports is limited to 2^16. Some
MvdV> applications use hundreds of ports at the same time, so sharing
MvdV> one IP with 1000 customers invokes the risk of running out of
MvdV> ports. They probably do not go beyond 100 or 200 customers per
MvdV> IP. So they cut the customer base in small chunks and give each
MvdV> chunk its own subnet with its own public IP and those subnets
MvdV> can reuse the private adresses.
did you ever stop to think that these reservations, like CGNAT, being created
today are being used to help kill IPv4 and to try to force IPv6 on everyone?
ml> (how many smartphone users are there? how many cars will be
ml> connected in the future? how many household appliances will be
ml> connected? how many security systems? and so on)...
MvdV> And they will use IPv6...
maybe... maybe not... smartphones get IPv4 when they are here in my area and
allowed on my network...
)\/(ark
* Origin: (1:3634/12)
|