No Metrics [LWN.net]

No Metrics

Posted May 9, 2011 18:03 UTC (Mon) by Cyberax (✭ supporter ✭, #52523)
In reply to: No Metrics by paulj
Parent article: Scale Fail (part 1)

Probably not. With IPv4 it's a struggle to keep things globally adressable. Hey, I've just got my IPv4 PI allocation and happily renumbered my networks - now I can reach every host from every host. It's a heaven. But getting it was certainly not trivial.

With IPv6 it's exactly backwards - it's a struggle NOT to make your computers globally addressable.

to post comments

No Metrics

Posted May 9, 2011 21:48 UTC (Mon) by paulj (subscriber, #341) [Link] (13 responses)

Globally addressable != global end-end connectivity, sadly. Lots (most, even) of people will still have restrictive firewalls between their network and the internet, and some people even want NAT for IPv6..

No Metrics

Posted May 10, 2011 8:18 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link] (12 responses)

Firewalls can be disabled or reconfigured. NAT can't be disabled (there's not enough global IPv4 addresses) even in principle.

The changes will take years, so there'll be plenty of time for security to evolve. But we now have foundation for it.

No Metrics

Posted May 10, 2011 9:55 UTC (Tue) by paulj (subscriber, #341) [Link] (11 responses)

Many users will lack either the administrative or technical capability (or both) to reconfigure firewalls, sadly.

No Metrics

Posted May 10, 2011 11:50 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link] (10 responses)

That's the beauty of IPv6 it's open by default.

And corporate networks will benefit from end-to-end security most, so I expect that they'll migrate to IPsec even before home users.

No Metrics

Posted May 10, 2011 17:35 UTC (Tue) by dlang (guest, #313) [Link] (5 responses)

corporate users will suffer from open end-to-end connectivity most, including tunnels that make it impossible to see what's happening.

No Metrics

Posted May 10, 2011 17:41 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link] (4 responses)

Not really. It's possible to sniff encrypted tunnels if you know the private key of one host (and enterprise admins probably would know it), it's even supported in Wireshark.

Besides, it's not like I can't make an HTTPS tunnel which can pierce all but the most paranoid firewalls right now. Skype does this, for example.

No Metrics

Posted May 10, 2011 21:37 UTC (Tue) by Tobu (subscriber, #24111) [Link]

Nitpick: that depends on the key exchange. Sniffing after a Diffie Helman requires the cooperation of one of the parties, and I don't think wireshark has support for this at the moment.

No Metrics

Posted May 10, 2011 21:45 UTC (Tue) by raven667 (subscriber, #5198) [Link] (2 responses)

*sigh* that is one thing that is probably true, some network operators will break their networks in the name of security making life difficult for the people who use them and that won't really protect anything because so much traffic is tunneled over 80/443 which is almost universally allowed.

No Metrics

Posted May 19, 2011 18:40 UTC (Thu) by oelewapperke (guest, #74309) [Link] (1 responses)

That's because it requires the "end" party to take the initiative. That's the beauty of NAT. Put an ancient totally unsupported bug-riddled system that every grandmother knows how to exploit remotely behind a nat firewall ...

And it's perfectly secure.

No Metrics

Posted May 23, 2011 4:24 UTC (Mon) by RobertBrockway (guest, #48927) [Link]

No it isn't. If that was true then most successful attacks today wouldn't even occur. For some time now the bulk of attacks have occurred over connections initiated by the end user system.

No Metrics

Posted May 11, 2011 18:36 UTC (Wed) by Baylink (guest, #755) [Link] (3 responses)

> That's the beauty of IPv6 it's open by default.

The problem with utopias is that it only takes *one* Bad Guy to fuck things up for the rest of us.

"That's not a feature, that's a bug."

No Metrics

Posted May 12, 2011 13:42 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (2 responses)

And closing down everything like we already do now does not help at all.

No Metrics

Posted May 19, 2011 18:46 UTC (Thu) by oelewapperke (guest, #74309) [Link] (1 responses)

Actually, given the amount of security holes ... and how secure a company is by default from remote (ie. they only get infected by surfing porn sites or opening suspicious mail) ...

It kinda does solve a lot of problems.

I mean, I hate nat just like the next guy. But you won't get anywhere by declaring it doesn't solve anything. You'll be just like gaia idiots screaming before the capitol to get America off oil, not realizing they're basically asking America to cut it's economy by 95% or more. Not going to happen (and it's a *good* thing we don't honor such requests)

NAT is a beautifully simple solution. And it is possible to modify just about any protocol to work with nat. I fear nat and ipv4 may be here to stay.

Certainly converting RIPE, APNIC and AFRINIC over to ARIN rules would give us another 10 years easily. Saying "an IP will cost you $0.01 per year" will get us another 100 years.

No Metrics

Posted May 19, 2011 19:11 UTC (Thu) by nybble41 (subscriber, #55106) [Link]

A stateful firewall which simply blocks all incoming connections (i.e. a NAT setup minus the actual address and/or port translation) gets you all the security benefits of NAT without most of the hassle. As a bonus, if you want to run the same services on two or more servers they can each use their own addresses rather than competing for the standard port numbers.

Anyway, most home routers aren't much more secure with NAT, since they allow ports to be forwarded via UPnP requests. If you're running a server and opening forwarding ports with UPnP you might as well permit direct access; if not, blocking the connection at the server (because the port is closed) is just as effective as blocking it at the firewall. An effective firewall must be configured by the network administrator to accept or reject specific traffic, not simply permit incoming connections to any local server that asks politely while blocking the ones which would have been rejected anyway.