Date: Tue, 13 Mar 2001 09:37:23 -0600 (CST) From: James Wyatt <jwyatt@rwsystems.net> To: Ted Mittelstaedt <tedm@toybox.placo.com> Cc: Bob Van Valzah <Bob@Talarian.Com>, pW <packetwhore@stargate.net>, FreeBSD-Security@FreeBSD.ORG, FreeBSD-Questions@FreeBSD.ORG Subject: RE: Racoon Problem & Cisco Tunnel Message-ID: <Pine.BSF.4.10.10103130847370.72725-100000@bsdie.rwsystems.net> In-Reply-To: <000801c0ab8b$81d99ca0$1401a8c0@tedm.placo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 12 Mar 2001, Ted Mittelstaedt wrote: > >-----Original Message----- > >From: owner-freebsd-questions@FreeBSD.ORG > >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Bob Van Valzah > >Sent: Monday, March 12, 2001 8:07 AM > >Subject: Re: Racoon Problem & Cisco Tunnel > > > >Yes. The five DSL setups with which I'm familiar all grant at least one > >public address per house. I believe all are static, but one might be > >dynamic. Interference with protocols like IPSec is one of the reasons > >why I'd make a public address a requirement when choising a DSL > >provider. When it comes to NAT, I'm with Vint Cerf--avoid it if at all > >possible. Let's hasten the deployment of IPv6. [ ... ] > Until I see the large organizations with Class A's tied up, give up those > numbers back to the pool, I'll fight any attempt to move from IPv4 to IPv6, > and most other ISP's that are out there are going to fight it as well. In > the meantime I'm pushing all my customers into using NAT. NAT is here to > stay and people that run around calling it an aberration are just proving to > the rest of us that they have absolutely no business sense. NAT is a tool and you can hurt yourself with it or do useful things with it, not an aberration or silver-bullet. Folks with fast hosts or small amounts of traffic and simple needs love it - especially home broadband users. There is a trade-off for many router users though: a) just change the header when NAT-ting, or b) correct the packet checksums and lose your ASIC efficiency and kill your shared-CPU. NAT can also make peer-to-peer networking for groups of workstations across NAT barriers difficult if you have to chew-up static IPs from what I can tell. Many large corporations like GE Corp have huge RFC networks internally. If you ever have to make an internal Frame Relay link between them behind their public firewalls, you will learn new words for describing RFC networking limitations. "Oh &$*^^%! Our router thinks their Chicago server is on the same LAN segment as our Fort Worth server, but with a different netmask. Which of us should renumber our servers? Can IPSec help this?" > NAT has proven itself reliable and vital and idiot engineers that design TCP > protocols that assume everyone has a public IP number are just architecting > their own failures, and their protocol's subsequent minimizing by the > market. I have some sympathy for protocols like IPSec that came to be > during the same time - but organizational-to-organizational IPSec tunnels > don't have to pass through the NAT - they can terminate on it. But, anyone > doing a new protocol today is a fool if it can't work though a NAT. When IPv4 was designed, everyone could have had their own number. It was done a *long* time ago, and did not envision "The Internet Explosion". Everyone else has just followed the specs so things interoperated. If those "idiot engineers" hadn't done that, you wouldn't have equipment coming out your "*rse-h*le" today. (^_^) btw: If you stopped saying everyone else (including Vint Cerf, however misgiuded or misquoted) is an idiot fewer folks might miss your otherwise valid points. If I get it: "NAT works and IPv6 is still a *long* way off for many very strong commercial realities." I gotta mostly agree with that, but NAT has a price as well. I hate fudging checksums because, while they only cause a little more coding for script kiddies making fake- or poison-packet generators, they also help ENet reliability. There are more things hurting packets than just collisions. If the world ever decides to jump to IPv6, all the server folks have to renumber as well. How is this all supposed to happen without massive outages and downtime? - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.10103130847370.72725-100000>