[arin-ppml] Stepping forward, opening my mouth and removing all doubt about

[Owen DeLong]

On Aug 28, 2008, at 7:12 AM, William Herrin wrote:

> On Thu, Aug 28, 2008 at 1:07 AM, Ted Mittelstaedt <tedm at ipinc.net>  
> wrote:
>>> Is it your position that more than 10% of those users would
>>> be inconvenienced by having an RFC 1918 address behind a NAT
>>> box instead?
>>
>> No, however the issue is that with those large ISP's almost
>> certainly a percentage of their customers are running some app
>> that is dependent on a public IP.
>
> My guess puts it at 3% to 5% but let's use 10% for our calculations
> just to be on the safe side. That's the maximum number of folks choose
> to use applications which either fail or function suboptimally when
> behind a typical NAT firewall.
>
Let's put it closer to 75%.  Here's a list of popular things that  
function
sub-optimally behind NAT:

	1.	Pick your favorite IM
	2.	VOIP (when it doesn't break outright)
	3.	P2P applications of various types -- Regardless of what
		you think of P2P filesharing, there are a number of additional
		P2P applications that have legitimate purposes and there
		are, frankly, many more legitimate P2P file shares than
		illegal ones. For example, virtually every linux distro has
		a bit torrent available.
	4.	Voice and Video chats.
	5.	SSH

I'm willing to bet at least 75% of users use one or more of these
on almost daily basis.

Things which break behind NAT:

	1.	Inbound access to your machine from somewhere
		else. (Remote desktop, SSH, Web Server, etc.)

Lots of people would _LIKE_ to do these things if they could,
and, even more would be upset if it was suddenly taken away
from them.

Hence, I argue that your 10% figure is... optimistic.
>
>> BUT - the fact of the matter is that stateful inspection
>> of packets through a firewall shouldn't require this icky
>> disgusting rewriting of source IP addresses.  NAT is a
>> transition technology and it has a lot more years left in
>> it, but we cannot lose sight of the fact that it is a hack,
>> despite our amazement that the elephant can actually dance.
>> And you do not lay the foundations of a stable Internet
>> on a hack.
>
> Actually, that icky rewriting is a benefit from a network security
> perspective. NAT has a tendency to fail closed while non-translating
> firewalls have a tendency to fail open.
>
This simply isn't true.  Non-translating firewalls fail just as closed
if the firewall supports stateful inspection.  As an example, a
Netscreen without NAT fails just as closed as a Netscreen
with NAT configured.

> But that's beside the point. No one is extolling the merits of
> ditching IPv6 in favor of a NAT-based Internet. What we are saying is
> that it is essentially impossible to achieve sufficiently ubiquitous
> IPv6 deployment in the next 3 years as to allow IPv6-only deployments
> to customers. Ain't gonna happen. Get past it and realize that however
> fast or slow IPv6 is deployed, we're going to need an interim solution
> so that until the long term solution is ubiquitously usable the folks
> who -can't- engineer their systems to use NAT still have a viable way
> to get IPv4 addresses.
>
I don't see how that is going to happen, either.  What I'm
hearing from most of those that have addresses which might
be put into such a pool is that there is no price at which they
are likely to do so.

>
>
>> Your asking my generation to committ a terribly immoral act
>> by making the very fabric of the Internet dependent on a cheap
>> hack.
>
> Providing a working interim solution between depletion of the IPv4
> free pool and whatever long term solution comes next is an -immoral-
> act? That is an astonishing claim.
>
1.	Calling it a working solution assumes facts not in evidence.
2.	Increasing the spread of the NAT disease is an immoral act
	unless it can be shown to have a very high likelihood of
	strong meaningful beneficial effect to outweigh it's
	extreme disadvantages.  You have failed to show any
	such likelihood.

>
> On Thu, Aug 28, 2008 at 8:50 AM, Iljitsch van Beijnum
> <iljitsch at muada.com> wrote:
>> Making IPv4 tradable means that our trajectory towards the wall  
>> will change
>> in ways that we can't predict.
>
> We went through this pretty extensively last year. Control of IPv4
> addresses can be legitimately traded now using The Ruse and The
> Container Sale. No one is proposing that we suddenly make IPv4
> tradable; for all practical purposes it already is. One point of a
> liberalized transfer policy is to give ARIN better control over the
> trading process so that the community can avoid the more egregious
> abuses (like heavy disaggregation).
>
The current policy limits you to:

	1.	Transferring entire blocks.
	2.	Tremendous scrutiny and a larger paper trail than what
		is proposed.
	3.	You at least have to claim that you transferred the underlying
		physical assets/infrastructure, not just the addresses.
	4.	Deaggregation is NOT allowed under the current policy.

Owen