NAT is evil?
NAT is evil?
Posted Jan 30, 2007 19:35 UTC (Tue) by RobSeace (subscriber, #4435)In reply to: NAT is evil? by flewellyn
Parent article: Fedora's metrics have ripple effect (Linux.com)
It's very harmful... It totally breaks the end-to-end nature of the Internet, and renders it impossible, or at least extremely difficult, to do what should be very simple things (eg: have end-users connect directly to one another, a la P2P)... It was a bad idea that only survived due to necessity (the shortage of IPv4 addresses), but now has sadly become so entrenched that SOME strange people actually seem to LIKE it, which saddens me greatly as a network programmer (because, I know these people are going to continue making my life harder for many years to come, when it doesn't NEED to be any more)... ;-/
For more info, see Things that NATs break and RFC-1627: Network 10 Considered Harmful...
Posted Jan 30, 2007 19:51 UTC (Tue)
by flewellyn (subscriber, #5047)
[Link] (8 responses)
So, in a non-NAT, IPv6 world, how would one achieve the "LAN behind a single firewalling box" effect? Just have the LAN machines route through the firewall box, using it as a router?
Posted Jan 30, 2007 19:59 UTC (Tue)
by liljencrantz (guest, #28458)
[Link] (7 responses)
There is no need for the firewall to do NAT as well.
Posted Jan 30, 2007 20:40 UTC (Tue)
by RobSeace (subscriber, #4435)
[Link] (6 responses)
Posted Jan 30, 2007 22:21 UTC (Tue)
by flewellyn (subscriber, #5047)
[Link] (5 responses)
Are "they" (IETF, I assume?) really considering giving everyone a /64? Giving businesses /48s? Never mind "what home user needs 18 quintillion addresses?", what BUSINESS needs a septillion? Even Google doesn't have that many servers yet.
I kinda think a /32 would be enough for home users, maybe even enough for most businesses. Of course, that then gives us the ability to give 4 billion IP addresses to each of 79 octillion people...
Geez, IPv6 scares me sometimes.
Posted Jan 30, 2007 23:00 UTC (Tue)
by nix (subscriber, #2304)
[Link] (1 responses)
Posted Jan 31, 2007 2:40 UTC (Wed)
by flewellyn (subscriber, #5047)
[Link]
Posted Jan 30, 2007 23:13 UTC (Tue)
by RobSeace (subscriber, #4435)
[Link] (2 responses)
Mostly waste them, just to be able to have automagic IP assignment for any machine by using its Ethernet MAC in the lower 64 bits... (Yes, a MAC is only 48 bits, but there's some method or other of munging it into a 64-bit value, which is one proposed method of automagic config-free IP assignment... There are other methods as well, but mainly just to cope with paranoid people who seem to believe that giving out their MAC address is somehow a horrible thing which will render them instantly vulnerable to every cracker on the Net... ;-))
> Are "they" (IETF, I assume?)
IANA, ARIN, RIPE, and others, all talking together, I believe...
> really considering giving everyone a /64? Giving businesses /48s?
Yeah... /64 is really the smallest you can get, anyway... Because the lower 64 bits are all host-specific, and the upper 64 are for routing... You could theoretically get a single fixed /128 IP, but it'd be pulled out of some /64 (or less) subnet somewhere... Like I said, slimy ISPs might try to do something like that for home users... But, they really should just give them all their own /64...
Anyway, yeah see RFC-3177 for what I believe are the current recommendations... Or, this RIPE document...
> I kinda think a /32 would be enough for home users
You've got the CIDR /bits backwards: a /32 would be a HUGE allocation of IPs! ;-) The lower the /bits value, the bigger the subnet... It's a count of the fixed 1 bits in the netmask, starting at the left... So, what you really meant was /96, which leaves 32 bits for host use... However, as I say, you can't really do that with IPv6: the upper 64 are the routable portion, and the lower 64 are the host ID portion... That's just the way they did things... Is it overkill to allow for 2^64 hosts on each subnet? Um, yeah, probably... ;-) But, hey, I'd rather them go overkill than not enough... And, with 2^64 /64s available, I don't think they'll run out of those for a while, either... ;-) (Yeah, actually, there are slightly less than that many currently allowed publically assignable IPs, since I think they're all in a /3, but it's still an outrageously huge number...)
Posted Jan 31, 2007 2:44 UTC (Wed)
by flewellyn (subscriber, #5047)
[Link] (1 responses)
I can see the massive advantages in terms of simplicity of this approach. Probably simplify
While I'm asking you silly questions, I noted upthread that you mentioned HTTP wasn't that well-
Posted Jan 31, 2007 11:38 UTC (Wed)
by RobSeace (subscriber, #4435)
[Link]
I'm really just bitter because I had to deal with a stupid CC authorization protocol pointlessly layered on top of HTTP a while back, which made things far more difficult and inefficient than they should've been... Basically, it takes the same protocol you would use if dialing them up over modem and inappropriately stacks it on top of HTTP, rather than simply having a new listening TCP daemon on some port for handling it, as one would logically suspect they might do... It's just silly...
Ahh, this explains much.NAT is evil?
In a word, yes.NAT is evil?
Exactly... A lot of places have LANs that are already setup this way, even in IPv4 world... All it requires is enough IP addresses for all of your LAN machines... (Which, admittedly, can be expensive, especially if you need a very large subnet...) In IPv6 world, hopefully everyone will have AT LEAST a full /64 subnet to themselves, so no worries unless you need more than 2^64 machines on your LAN... ;-) (Or, want to further subnet your machines into multiple LANs, which is why they're talking about just giving everyone /48s, which would be super-sweet... ;-) I suspect it'll end up being that "business-class" customers get the /48s, and home users get /64s, though... Which is probably just fine, anyway...)NAT is evil?
I confess, it's somewhat shocking to me to imagine that IPv6 would allow a private, solitary person to have 18 quintillion (or so) possible IP addresses, without risking global exhaustion! What would we DO with them all? I don't see myself putting every cell in my body on a LAN anytime soon.A /64 for each user?
I think you meant `a /96' when you said `a /32'.A /64 for each user?
Yes, yes, of course. Sorry. I always get my ordering mixed up with those numbers.A /64 for each user?
> What would we DO with them all?
A /64 for each user?
Outrageously huge describes it quite well.A /64 for each user?
routing a whole lot as well.
designed. I'm curious, what are your criticisms of it?
Oh, I was mostly just being snarky... ;-) For what it was designed for, I suppose it's not that bad... It's just when people are forced to use it for layering other stuff on top of that it wasn't designed for (simply so they can be sure it'll get through sites with draconian firewalls/proxies) that it shows its weaknesses as a general transport protocol... But, in all fairness, it wasn't designed to be one, so that's hardly its fault... There might be a few things I would change about HTTP, but most of them would probably involve making it a better general-use transport, which wasn't its original goal...A /64 for each user?