[ale] Looking for advise on domain names and other info wrt local network.

Michael B. Trausch mike at trausch.us
Mon Aug 11 14:00:12 EDT 2008


On Mon, 2008-08-11 at 05:03 -0400, Forsaken wrote:
> On Mon, 11 Aug 2008 00:28:23 -0400
> "Michael B. Trausch" <mike at trausch.us> wrote:
> > I must have missed the short bus somewhere here.
> 
> Now was that really called for? Or are you one of those folks who have
> to have an arguement rather than a discussion?

Huh?  I was merely indicating that I must have been very plainly missing
something obvious.

> 
> > NAT doesn't enhance communication, it _breaks_ it.  The Internet was
> > designed for things to be end-to-end.  Protocols that depend on the
> > end-to-end functionality of the Internet break without some nasty
> > middleware between the client and server (or two peers) working to
> > rewrite packets. 
> 
> It's a matter of perspective. No matter which way you slice it, NAT
> does allow more machines to talk to each other than would otherwise be
> able to. I'm well aware of how ugly of a hack it is, I have the
> equivalent of a small enterprise network running behind my little
> comcast IP, and I've had to deal with all the work arounds to make
> services available to the outside world. 

Yes, it permits one to surpass the design of the network nodes on the
Internet.  I am well aware of that... but that is where its utility
ends.

I am not condemning ugly hacks.  I _am_ condemning the rather ignorant
belief that such a hack should be permitted to live on when the problem
that was the cause for it is going away.  NAT is utterly useless when
you have the ability to have 18,446,744,073,709,551,615 routed nodes on
your network, combined with the fact that there can be up to
18,446,744,073,709,551,615 networks.

There are somewhere between 6.6 and 7 billion people on the planet
Earth.  Let's assume for a moment that the other 8 planets had people
living on them, too, and about the same number.  For giggles, we'll
round up to 7 billion.  That's 56 billion people: 56,000,000,000.

_ONE_ network in IPv6 has enough addresses to give 56 billion people
329,406,144 addresses, if you only have a 64-bit address space and no
network identifiers.  Since you have 64-bits for network identification,
of which 48 bits are used (most of the time), that means there are 5,026
_NETWORKS_ to give each one of the solar system's hypothetical 56
billion people, each with over eighteen quintillion possible addresses.

Some of those networks are reserved, of course, and that reduces the
number of available networks somewhat.  But not significantly.  

> 
> And sure, the internet was designed to be end to end. ipv4 was also
> designed to be classful. Do you think that was a good idea too? The
> wasteful allocation of the ip4 space before the implementation of CIDR
> is mostly responsible for the ip crunch that we're in right now.

No, I think that things can be altered.  Never did I argue that the
Internet should have remained classful, or that DNS was a useless crock.
I fail to see how you connect "NAT seriously ought to go away because it
is a bad feature that breaks the philosophy behind open end-to-end
network communication" with "So, features on the network stack are bad?"
I have a problem with NAT because it breaks end-to-end communication.  I
have a problem with proposed "features" that actually take usable
features away from the network stack, too.  The main reason behind that
is that when you add a feature to a system, if the cost is another
feature, there has to be some other factor that makes it worth it.  With
IPv6, that factor isn't there---there is no reason to have NAT in IPv6,
because the problem that NAT was designed to be a stop-gap measure for
is fixed in IPv6.  Will we come up with new problems in the future that
may have to be solved using ugly hacks like NAT?  Possibly.  And if we
do, we'll come up with ways to solve them, and the next time the network
stack is redesigned, the network stack will overcome those problems,
too.

The change from class-based routing to CIDR was a good move.  It was
sound and required no breakage of networking functionality already
present in the stack.  That having been said, nobody truly expected IPv4
to last forever, and when NAT was created, it wasn't expected to last
forever either.  IPv6 has largely been designed with lessons learned
from the years of IPv4 networking experience that we've had, and as a
result has many new features, dropped support for a few features, and
significantly modified many other features.

The biggest "feature" of IPv6 is really a meta-feature:  largely
simplified networking due to the greater capacity for handling network
nodes, removal of cruft that we had built up in IPv4 (NAT being one, as
an example), and modification of other features to be more appropriate
(for example, broadcast is removed and replaced with a form of multicast
and anycast addresses).  Scope of addresses is another useful feature
that can be found in IPv6, and the easy sharing of multiple types of
addresses on a single interface is good, too.

>  On the
> other hand, I suppose you could say NAT is largely responsible for the
> long delay in ipv6 implementation. 

Absolutely.  Most non-technical types don't see the incentive in a
largely transparent change because they associate change with breakage.
IPv6 has been in the cooker for a long time, though, and I can tell you
that I have been using it for some time quite happily.  IPv6 here in the
States should be a lot farther along than it is, but ISPs haven't gotten
to the point of pushing it out yet.  They probably won't for a while,
either, because XP is still very popular, and the latest release of the
IPv6 stack for XP that I am aware of doesn't support manually-assigned
addresses nor DHCP for IPv6.  Stateless autoconfiguration is good, but
it's not the end-all, be-all of networking, and while it's suitable for
home use, it's not really a great idea for corporate networks that want
to be able to associate each machine with a name, and not have to manage
the DNS manually.

> > IPv6 is designed to last for a long time, and it's expected that it
> > will have to be replaced, too.  Given that there is 128 bits worth of
> > address space in there, though, and that is broken down into network
> > names of at most 64 bits, it's expected to last for a while.  It'll
> > be around for a very long time if we never leave the planet, since if
> > we had that many people and that many machines, we'd probably not
> > have the resources to sustain it all---after all, we don't have the
> > resources to sustain life indefinitely as it is, with the numbers we
> > have now.
> 
> *shrug* and 640K ought to be enough for anyone. Not trying to be cute
> or sarcastic (well, not much) but the computer industy has found out
> time and again that what you think is enough for future growth turns
> out to be quite different when the future gets here. 
> 

Never said that IPv6 is going to be the last protocol stack around.
It's designed to last long enough to design the next network stack.  If
IPv6 hangs around for 28 years, I'll be very disappointed.  IPv4
shouldn't have been around for more than 15 to 20, and efforts to
replace it should have been underway as soon as we realized that it'd be
unreasonable to assume that not every person on the planet could have
even one globally-routable IP address.

> > And, I'm totally lost on the benefit of NAT when merging two networks
> > that are the same non-routable address block.  If I have two networks
> > that are 10.0.0.0/8 and I am merging them together, there's going to
> > be a lot of collisions, and likely a lot of renumbering.
> 
> Well there will certainly be alot of renumbering, but if you stick a
> NAT box between them, they can at least talk to each other until things
> are consolidated. It's pretty darned useful, since the majority of
> folks who allocate RFC1918 space for their corporate networks seem
> hellbent on starting at the bottom of the range.

Again, that becomes totally unnecessary with the style of link-local
addressing present in IPv6, and without the confusion of having network
nodes that have the same address on two separate network segments
cross-NATted from each other would have.

> 
> > I've used IPv4 for all of my life, and most of the time that I have
> > been using it, NAT has been around.  I'd like to say that I remember
> > the days before NAT with absolute clarity, but to be honest, I was a
> > dialup user then and fairly new to networking.  But, ever since I ran
> > into my first NAT, I was really unhappy with the way Internet access
> > worked through it.  I've wanted to see it go away ever since I ran
> > into it, really. 
> 
> Again, it's a matter of perspective. For folks that just need internet
> access, NAT makes things easy. When you need to setup IPSec tunnels, it
> makes life hard. 

IPSec (VPN), SIP (VoIP), and FTP all need special helpers (as do other
protocols) to properly get around NAT.  Commodity routers do FTP.  None
can do IPSec, which is why it's generally tunneled within UDP.  SIP
isn't handled by any commodity NAT appliance that I am aware of, either,
which is why things like third-party application layer gateways are
required to get NATted SIP devices to talk to each other.

> 
> Please understand that I'm not praising the wonderfulness of NAT and how
> it makes life better. I'm a pragmatist. Like any other service, NAT has
> it's good points and it has it's problems. I'd love it if Comcast would
> give me a /29 (and a full BGP feed, but I'm sick like that) for my
> home network. But since this is the company that blocks even *incoming*
> port 25, I'm skeptical of whether they would even if we weren't in an
> IP crunch. Unfortunately, I don't think widespread ipv6 adoption is
> going to happen anytime soon. 

It's going to have to happen relatively soon, within the next five to
ten years at the absolute latest, unless there are even more drastic
measures deployed into the world for managing the scarcity of IPv4
addresses.  The switchover, though, is more of a catch-22 situation than
anything else:  It can't be widely deployed until it's widely used, and
it won't be widely used until it's widely deployed.  The only real
option, then, is to build new networks---networks installed
_today_---for IPv6, and use IPv4 on them for backwards compatibility
until the IPv4 portions of the network can be turned off and disabled.
I don't think that IPv4 can be removed from the network stack in the
next five years, because there will still be people switching over.  But
the IPv6 Internet will start becoming larger very soon.  Tunnels may be
all that is available now, but Comcast is already using IPv6 internally
for the management of some of their CPE as of May 2007 [1].

> Last I looked, only 4 of the tier 1 providers are offering ip6, and one
> of them are only offering tunnels. So like it or not, NAT is a fact of
> life in the network world for the forseeable future. If you want an ISP
> that's generous with it's bandwidth and not overbearing with it's
> policies, you'll have to leave the country to find one.

It certainly is, for now.

But it's not going to go away any faster if it's looked at as "good
enough," which is the viewpoint shared amongst most people that aren't
even aware of its existence.  Non-technical people will say "Don't fix
it, because it ain't broke," when really they have no clue.  Yes, it
works _today_, but it will _not_ work in the very near future when all
the addresses have been gobbled up.  The biggest problem is that those
who know very little and are in charge of things like networked
applications and operating systems and the like have dragged their feet
for far too long.  The free operating systems have had solid support for
IPv6 for a (comparatively) very long time; same with many networked
servers/clients in free software.  Why is it taking so long for everyone
else to have the readiness and actually have that readiness deployed?
Why haven't appliances already switched to running dual-stack network
layer software, and made it so that ISPs can flip the switch and things
will work?

In any event, the whole thing that started this is that I am waiting
until I can have a proper network setup before I actually host
everything of my own.  When IPv6 is deployed, we'll see what happens in
terms of how they hand out address space.  It's my hope that ISPs will
give /64s out, since those yield the smallest possible node address in
IPv6.  Of course, they won't be able to charge you $5 or more for each
extra IP address anymore, but they could charge a significantly larger
sum for each extra network designation that someone would want, if they
want to have multiple networks on their connection, or an even larger
sum to hand out a network of networks if that is something a customer
desires, and they'd easily make back what they'd "lose" over not being
able to sell individual IP addresses anymore.

Anyway, I suppose if people _really_ want to keep NAT around, they just
have to maintain software for it.  The protocol doesn't have to make
provisions for it to make it easy or standardized to implement.  But you
can bet that I'll be really unhappy if the transition doesn't happen
soon; I'd absolutely _hate_ to be double-NATed.  One NAT---the router
that I have here---I can work around.  Two?  One here, and one at the
ISP?  That's much harder to work around.  Of course, that'd be one way
that the ISP could save money, using one NAT at each node.  But it'd not
be worth it.

As things stand today, there are 38 /8 blocks that are unallocated [2].
The estimates that I have seen estimate the exhaustion of the IPv4
address space in anywhere from two years to four years, depending on the
level of allocation that the exhaustion is being estimated for.  It's
time for ISPs to saddle up and get ready to deploy, and work with
vendors to ensure that the hardware being sold will work properly.
There will almost certainly be a period of chaos that everyone will
remember during the transition, but that's life, and life cannot always
be made nice and insulated.  The time to get rid of IPv4 is, if you ask
me, a bit overdue---we as a country should have already started the
public rollout.  Then again, that is a problem that is a direct result
of nobody being able to pull the "IPv4 switch".

	--- Mike

[1] www.ripe.net/ripe/meetings/ripe-54/presentations/IPv6_management.pdf
[2] http://www.iana.org/assignments/ipv4-address-space/

-- 
My sigfile ran away and is on hiatus.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20080811/e3e2c71c/attachment-0001.bin 


More information about the Ale mailing list