On 4-mrt-04, at 2:44, Hallam-Baker, Phillip wrote:
In case you had not noticed there are now tens of millions of NAT
devices in use. End users are not going to pay $10 per month for
an extra IP address when they can connect unlimited numbers of
devices to the net using a $40 NAT box.
Sounds like a conspiracy... ISPs charging orders of magnitude more than
cost for additional addresses "forcing" people to use NAT.
The NAT war has been over for years, NAT won. The problem is that
the IETF still has not come to terms with that fact.
I don't think anyone has won here, there are just casualties all over
the place: more work for the IETF and vendors, less functionality for
the users.
The Internet was designed to be a network of networks. The core
architecture is NOT end-to-end, that is a political shiboleth that
has been imposed later.
Suppose for the sake of argument that the above is a valid position,
and that we would actually want to make NAT work. What we need to do
then is extend it such that it becomes possible to address hosts behind
a NAT from the public internet. That should be perfectly doable, in
essence we'd be redefining the protocol and port numbers to be part of
the address. However, this means these must now also be put in the DNS
and in most other places where IP addresses show up. So this adds up to
a HUGE amount of new work.
Guess what: we already did pretty much the same thing with IPv6. The
logical conclusion here is that we can save a lot of time and effort by
simply adding IPv6 to the mix, as it is just a hair shy of being ready
for full deployment, while all this stuff to make NAT actually work is
all over the place.
In the case of H323 the problem is not just NAT, it is the derranged
protocol which uses a block of 3000 odd TCP/IP ports to receive
messages on. there is no way that this is consistent with good
firewall management
So now you are complaining because after you install a firewall, it
turns out the thing does its job? The whole idea that decent security
can be had by allowing packets with certain port numbers in them in and
not others is fatally flawed, as it just makes for an arms race between
firewall vendors that inspect deeper and deeper into packes and
firewall bypass utilities that tunnel the real protocol through more
and more layers of accepted protocols.
What we need is "corporate zone alarm" like functionality, where
firewalls get to see which applications (and users) are trying to
communicate with the outside world, rather than guess based on the port
number in the packet. This would allow some very nice features such as
blocking vulnerable versions of applications but allowing patched
versions of the same application.