[arin-ppml] Stepping forward, opening my mouth and removing all doubt about
owen at delong.com
Thu Aug 28 11:26:46 EDT 2008
On Aug 28, 2008, at 7:12 AM, William Herrin wrote:
> On Thu, Aug 28, 2008 at 1:07 AM, Ted Mittelstaedt <tedm at ipinc.net>
>>> Is it your position that more than 10% of those users would
>>> be inconvenienced by having an RFC 1918 address behind a NAT
>>> box instead?
>> No, however the issue is that with those large ISP's almost
>> certainly a percentage of their customers are running some app
>> that is dependent on a public IP.
> My guess puts it at 3% to 5% but let's use 10% for our calculations
> just to be on the safe side. That's the maximum number of folks choose
> to use applications which either fail or function suboptimally when
> behind a typical NAT firewall.
Let's put it closer to 75%. Here's a list of popular things that
sub-optimally behind NAT:
1. Pick your favorite IM
2. VOIP (when it doesn't break outright)
3. P2P applications of various types -- Regardless of what
you think of P2P filesharing, there are a number of additional
P2P applications that have legitimate purposes and there
are, frankly, many more legitimate P2P file shares than
illegal ones. For example, virtually every linux distro has
a bit torrent available.
4. Voice and Video chats.
I'm willing to bet at least 75% of users use one or more of these
on almost daily basis.
Things which break behind NAT:
1. Inbound access to your machine from somewhere
else. (Remote desktop, SSH, Web Server, etc.)
Lots of people would _LIKE_ to do these things if they could,
and, even more would be upset if it was suddenly taken away
Hence, I argue that your 10% figure is... optimistic.
>> BUT - the fact of the matter is that stateful inspection
>> of packets through a firewall shouldn't require this icky
>> disgusting rewriting of source IP addresses. NAT is a
>> transition technology and it has a lot more years left in
>> it, but we cannot lose sight of the fact that it is a hack,
>> despite our amazement that the elephant can actually dance.
>> And you do not lay the foundations of a stable Internet
>> on a hack.
> Actually, that icky rewriting is a benefit from a network security
> perspective. NAT has a tendency to fail closed while non-translating
> firewalls have a tendency to fail open.
This simply isn't true. Non-translating firewalls fail just as closed
if the firewall supports stateful inspection. As an example, a
Netscreen without NAT fails just as closed as a Netscreen
with NAT configured.
> But that's beside the point. No one is extolling the merits of
> ditching IPv6 in favor of a NAT-based Internet. What we are saying is
> that it is essentially impossible to achieve sufficiently ubiquitous
> IPv6 deployment in the next 3 years as to allow IPv6-only deployments
> to customers. Ain't gonna happen. Get past it and realize that however
> fast or slow IPv6 is deployed, we're going to need an interim solution
> so that until the long term solution is ubiquitously usable the folks
> who -can't- engineer their systems to use NAT still have a viable way
> to get IPv4 addresses.
I don't see how that is going to happen, either. What I'm
hearing from most of those that have addresses which might
be put into such a pool is that there is no price at which they
are likely to do so.
>> Your asking my generation to committ a terribly immoral act
>> by making the very fabric of the Internet dependent on a cheap
> Providing a working interim solution between depletion of the IPv4
> free pool and whatever long term solution comes next is an -immoral-
> act? That is an astonishing claim.
1. Calling it a working solution assumes facts not in evidence.
2. Increasing the spread of the NAT disease is an immoral act
unless it can be shown to have a very high likelihood of
strong meaningful beneficial effect to outweigh it's
extreme disadvantages. You have failed to show any
> On Thu, Aug 28, 2008 at 8:50 AM, Iljitsch van Beijnum
> <iljitsch at muada.com> wrote:
>> Making IPv4 tradable means that our trajectory towards the wall
>> will change
>> in ways that we can't predict.
> We went through this pretty extensively last year. Control of IPv4
> addresses can be legitimately traded now using The Ruse and The
> Container Sale. No one is proposing that we suddenly make IPv4
> tradable; for all practical purposes it already is. One point of a
> liberalized transfer policy is to give ARIN better control over the
> trading process so that the community can avoid the more egregious
> abuses (like heavy disaggregation).
The current policy limits you to:
1. Transferring entire blocks.
2. Tremendous scrutiny and a larger paper trail than what
3. You at least have to claim that you transferred the underlying
physical assets/infrastructure, not just the addresses.
4. Deaggregation is NOT allowed under the current policy.
More information about the ARIN-PPML