Sounds like a conspiracy... ISPs charging orders of magnitude
more than
cost for additional addresses "forcing" people to use NAT.
Its called a monopoly.
There are good reasons why ISPs are encouraging their customers
to use NAT, they provide a weak firewall capability and that
in turn significantly reduces exposure to being hacked which
in turn reduces the cost of chasing zombie machines.
The next generation of cable modems my ISP will be installing will
have a NAT box built in.
The NAT war has been over for years, NAT won. The problem is that
the IETF still has not come to terms with that fact.
I don't think anyone has won here, there are just casualties all over
the place: more work for the IETF and vendors, less functionality for
the users.
Less functionality is a deliberate, concious choice on the part of
the IETF. Fixing the problem is utterly trivial.
Think of all the machines in my network as a single machine with a
single IP address. The requests to open and close ports to the outside
world are simply RPC requests (without the RPC syntax).
That should be perfectly doable, in
essence we'd be redefining the protocol and port numbers to
be part of
the address. However, this means these must now also be put
in the DNS
and in most other places where IP addresses show up. So this
adds up to
a HUGE amount of new work.
No, the machines do not need to be individually addressable.
Guess what: we already did pretty much the same thing with IPv6. The
logical conclusion here is that we can save a lot of time and
effort by
simply adding IPv6 to the mix, as it is just a hair shy of
being ready
for full deployment, while all this stuff to make NAT
actually work is all over the place.
Simply repeating the claim that IPv6 is the solution to every
issue does not make it so, or advance the deployment of IPv6.
The problem is the intrinsic asymmetry between the value of
an IPv4 and an IPv6 address. An IPv4 address will be visible
to the world, an IPv6 address will only be visible to other
IPv6 addresses.
The main reason IPv6 is nowhere is the refusal to deal with NAT
except by ideological reactions like the above. NAT is the
way to deploy IPv6.
The consumer's internal network can then be a NAT'd IPv4 net
and the external network can be IPv6.
In the case of H323 the problem is not just NAT, it is the derranged
protocol which uses a block of 3000 odd TCP/IP ports to receive
messages on. there is no way that this is consistent with good
firewall management
So now you are complaining because after you install a firewall, it
turns out the thing does its job?
No, I am complaining about a protocol that is not firewall friendly.
The whole idea that decent security
can be had by allowing packets with certain port numbers in
them in and
not others is fatally flawed,
Your view is not held by the computer security industry. Sure firewalls
are not infallible. But that does not mean that they do not provide a
valuable service.
One reason everything is migrating to Web Services is that the
Web Services stack is designed to support a new generation of
firewalls and expose exactly the right data at the perimeter.
What we need is "corporate zone alarm" like functionality, where
firewalls get to see which applications (and users) are trying to
communicate with the outside world, rather than guess based
on the port
number in the packet. This would allow some very nice
features such as
blocking vulnerable versions of applications but allowing patched
versions of the same application.
That is not a bad idea. In essence it would mean extending requests
to open incomming AND outgoing ports to the perimeter defense.
"Hey Mr firewall, this is Internet Explorer version 9.2, please
allow me to connect up to port 80 on 23.43.2.2"