[arin-ppml] Just a reminder of some quick mathematicsfor IPv4that shows the long term impossibility of it

Owen DeLong owen at delong.com
Wed May 18 20:11:02 EDT 2011


On May 17, 2011, at 8:10 AM, Chris Engel wrote:

>>> 
>>> Even though I enjoy healthy debate as much as anyone, I'm not sure what
>> the point or relevance of this thread is?  Some participants here view
>> universal end-to-end connectivity as an important goal and as such NAT
>> being significantly harmful to the internet. Others of us believe that goal is
>> not particularly desirable and possibly even harmful to the interests of a
>> portion of the community....and thus NAT has significant utility that
>> outweighs any potential harm.
>>> 
>> 
>> The latter view presupposes an incorrect perception of both end to end and
>> the capabilities of NAT.
>> 
>> If you have good firewalls, there is no harm in leaving the packet header
>> unmangled.
>> 
>> The harm from NAT is huge and the utility of NAT is demonstrably small
>> unless you are trying to conserve addresses.
>> The value of conserving addresses in IPv6 is demonstrably small, therefore, I
>> find it very unlikely that the utility of NAT
>> could possibly outweigh the harm it is known to cause.
>> 
> 
> In YOUR opinion. When a burning bush proclaims you infallible master of all technology, maybe that'll carry a little more weight. Until that happens, I'll simply maintain what common sense and my own experience tells me... that you are WRONG. Thanks.
> 

Which part are you claiming is wrong?

You feel there is great value in conserving addresses in IPv6?

What utility does NAT offer other than conserving addresses that cannot be
better accomplished by other technologies if you don't lack addresses?

	Security: Provably false. NAT does not improve security, stateful
		inspection provides security.

	Obfuscation of host addresses: If you believe this is a benefit,
		privacy addresses can provide it. Arguably this is more
		harm than benefit in most cases.

	Mutihoming: Easily accomplished with PI and BGP and much cleaner
		and more effective. (do-able with a very low-end router, too).

Do you have some other utility for NAT not listed above?

If not, then, I think perhaps this is more than just my opinion.

> 
>>> Much like politics or religion, I don't believe either side will be effective in
>> changing the others beliefs no matter how much verbiage is expended in the
>> effort. That seems evident by the number of times this particular discussion
>> has taken place on this list.  Is it possible to simply agree to disagree on the
>> utility/harm of NAT and set aside that portion of the discussion?
>>> 
>> 
>> Not really. NAT is a toxic-polluter issue and those in favor of it are rarely its
>> victims. That would be sort of like
>> asking the residents of Bhopal to agree to disagree with Union Carbide about
>> the utility/harm of irresponsible
>> chemical processing.
>> 
> 
> I would argue that the sort of peer-to-peer applications that you guys are pushing tend to be far more "toxic polluters" of the net then NAT.  However, one man's garbage is another man's treasure and I'm open minded enough not to try to argue that every single peer-to-peer operator be shut down, even if I think 90% of them are pushing dreck. The only difference is that no packets which NAT would cause a problem with happen to leave my network. While most of the peer-to-peer application developers seem to spend considerable effort in circumventing other Network Operators purposefully crafted filtering policies.... things like running over ports used by other well known protocols and even encapsulating thier traffic in other protocols in an attempt to sneak by filtering rules.
> 

Actually, NAT does create problems that stretch far beyond your network:

	+	Increased application costs
			Developers have to spend time and resources developing
			workarounds for your damage to the network.

			Code complexity increases the probability (and occurrence)
			of bugs.

	+	Decreased innovation
			Developers have to develop to the lowest common denominator
			meaning that innovations that could occur in the absence of NAT
			are stymied by its presence.

	+	Increased abuse
			The obfuscation provided by NAT makes it harder to identify
			particular abusers and resolve such issues.

	+	Increased troubleshooting costs
			Debugging things across a NAT is just harder than without
			it. Especially if you don't control the NAT or have access to
			the state tables.

etc.

None of the above are opinion. They're all demonstrable facts. It's not
about open mindedness or one person's opinion of dreck vs. treasure.
The toxic polluter model doesn't refer to the quality of stuff, it refers to
the fact that you take an action on your network which has negative
consequences and costs borne by others elsewhere on the internet,
just as dumping toxic waste into the river has consequences and
costs borne by those downstream, and not by the person dumping
the waste into the river.

> 
>>> Can we simply agree that at this particular point in time IPv4 address space
>> continues to have some value/use to a significant portion of the internet
>> community?
>> 
>> I don't think that is in dispute.
>> 
>>> 
>>> If we can generally agree on that proposition, then it seems clear that ARIN
>> still has some responsibility for setting policies in regards assignment of that
>> space. The question of whether the rest of the worlds population of
>> human's, llama's or house flies will be able to access the internet through
>> IPv4 strikes me as entirely tangential to that point.
>> 
>> It is tangential to that point, but, it becomes quite meaningful to the
>> discussion of what those policies should be.
>> Since this thread has covered both the fact that ARIN should continue to set
>> policies (which some seem to take
>> as opinion rather than fact) as well as several aspects of what those policies
>> should be, I don't think you can
>> discard content of the thread just because it is not relevant to one of the
>> topics in the thread.
>> 
> 
> Ok I'll bite. What specificaly are addressing policy implications of the assertion (IF we accept it to be true) that the entire worlds population can't/shouldn't be put on the internet with IPv4?
> 

1.	That we should not develop more aggressive policies trying to force
	more people to NAT.

2.	That there may be implications to how we consider policies aimed at
	allowing what NAT is required in the least harmful way possible.

I'm sure there may be other implications, but, it would depend on the
context of  a specific policy proposal.

> Other then there needs to be addressing policies set for IPv6 and such space should be reasonably availble to those who need it? Neither of which seem to be in contention here?
> 
We have seen people claiming that providers should be forced to free
up space for NAT pools by NATing more of their customers. I don't see that
as an overall win for the community, but, it's one example of a policy
implication around NAT.

>>> 
>>> FWIW, my particular hope is that IPv6 see's a steady increase in adoption so
>> that people who do value publically addressable space can get it, IF they
>> want it....and that NAT & IPv4 (and maybe even NAT66) continue to be
>> available to those of us who prefer it as an option. The world is a diverse
>> place, I don't see why the internet should not reflect that diversity in being
>> able to cater to a varied and sometimes conflicting set of interests. Yes, that
>> adds to the complexity of the system from an engineering standpoint....but
>> so does manufacturing more then one size of shoe.
>>> 
>> 
>> Because ISVs won't reflect that diversity and they will limit application
>> features to the lowest common
>> denominator. I don't want to see the internet hobbled by NAT any longer
>> than it already has been.
>> 
> 
> If you have a problem with the type of services that are being provided by service providers, you have two options...
> 
> 1) Start up your own service and offer the kind of services that you think should be offered. If you are not off-target, you'll get plenty of customers.
> 
> 2) Find a vendor willing to provide the type of services you want to see and give them your business. Then promote them. If enough people agree with your preference of services, they'll be successfull and those sort of services will become more commonly available.
> 
> Don't try to promote your own preferences by limiting those of others.

I'm not trying to limit your choices. If you want to damage your network, you're free
to do so. However, that doesn't mean I can't call what you do broken since it does
actually break the internet in ways that actually reach beyond the border of your
network.

Owen




More information about the ARIN-PPML mailing list