John Calcote wrote:
I'll just jump in here for a second and mention also that vendors
offer what they have to, not what they can. They want to provide
the most "bang for the buck", so to speak. These companies don't
offer the multiple-static-ip-address option today because most
ISP's don't offer it to home users and home (SOHO) users represent
the target market. That said, they *would* offer these features
if SOHO users were constantly frustrated about the fact that they
can't make use of the multiple static addresses that their ISP
provides them because of limitations in their router equipment...
Exactly. As I said many times: vendors sells what the market wants to
buy, and IETFers do not make the market.
John,
John C Klensin wrote:
"spreading disinformation" is a rather strong claim; not
one I would choose to make without actually examining the
devices and their manuals, not just the marketing
descriptions you cite below.
I have personally configured non-NAT on a least a dozen different of
these boxes.
At least part of the problem are some constraints that,
as a simplification, I didn't mention.
I can see that now, but your original text said nothing.
The two most recent ISPs I've dealt with personally, and two
more I've deal with on behalf of friends I was trying to set
up, all insist on owning control of the front-end CPE
"modem"/ "router" equipment. They do not permit (by Ts&Cs,
password control, etc.) the customer to reconfigure that
equipment to, e.g., operate it in bridge mode.
Common issue, then ask the ISP to reconfigure it in bridge mode
themselves. If the contract says you get public IPs this means these IPs
available for your hosts, not for their router. I never had an ISP
refuse to do this, it's quite easy at time of installation to call the
sales droid and tell it that if they don't configure their stuff to
deliver your public addresses on the LAN side they can stick it. Sales
droid wants his commission, sales droid talks to the techs.
Other method: spend $20 on eBay for a DSL "modem/router" that you have
control of. It is not illegal to swap their modem for yours, and if you
ever have to call their support (you know, the guys that ask for 1/2
hour if the power is on and if the lights are green) just plug their
modem back for the time of troubleshooting and the put yours back when
done. For this very reason I kept the Alcatel aDSL modem that PacBell
sold me 7 years ago although I have used at least 4 different ones.
FYI, in the latest AT&T (formerly SBC formerly Pacific Bell) aDSL
self-install kits that they ship, the password to admin the NAT box is
on a sticker underneath the box. Before, techies still knew that it was
the MAC address or the serial number of the box. They actually want you
to try to configure the box, mess it up, and send you a tech and bill
$200 to fix it. Also, they were tired of people clogging their support
to ask how to make this of that work. New method: if it does not work,
see your software vendor.
ISPs that survive and grow provide what their customers ask for, and
admin access to the CPE device to open ports is one of these demands.
The number of static addresses available or in use is
quite small, typically a /28 or even a /29.
In my experience, /29 is good enough for a typical home and /28 for a
typical small office. If you need more you fall into the medium business
category and allegedly have the $$$ that go with it.
Finally, I need a device with the ability
to specify port priorities
Your requirements are way over the typical user. If you have
requirements that represent 1% of the demand, you will not be able to
use the canned solution that fits the masses. Possibly not because of
technical reasons but for business reasons: vendors might think that if
you have such requirements you have the money to pay for them (which is
partially justified by higher support costs). If you don't find what you
need in el-cheapo mass-produced consumer stuff it's not because vendors
are trying to screw you but because your business does not represent
enough money for them to take action.
and to supply some firewall capability.
There is no cheap firewall solution unless you call "firewall" what
comes with a $20 NAT box.
In the case of the Linksys device, the documentation is
fairly clear that the address space on the WAN-side
needed to be disjoint from the address space on the LAN-side.
This is the case also for many others even "high-end" ones such as the
Cisco PIX firewall (last time I checked). Your requirements are
different than the masses, you have to use the box that fits your
requirements. The fact that very few firewalls support bridging is
simply due to the lack of demand.
A solution to this is that either the ISP-supplied CPE
or the internal router device operate in bridge mode.
Indeed and I do acknowledge that many firewalls do not, which I found
myself to be a pain. But you still have two avenues:
1. A router/firewall that bridges. Besides the sonicwalls, the D-link
DFL-600 has a non-NAT DMZ capability; I think that the Netgear FVX538
and the Trendnet TW100-BRV304 do the same but have never used them.
2. A CPE device that bridges and has good enough firewall capabilities.
There are many you could also use, pick the one that fits. Also, (for
aDSL) consider a Cisco 857 (less than $300). Never configured one
without NAT, but the IOS subset is decent.
It is that "bridge" mode that is critical. As I indicated
above, neither the Linksys nor the Netgear devices provide
it.
Because they are not CPE devices. What's the purpose of a NAT box if you
don't use NAT?
running the ISP's interface device in bridge mode,
which many (although perhaps not all) ISPs prohibit
You're not talking to the right person at your ISP. Or you need to
switch ISPs.
Iljitsch van Beijnum wrote:
This sounds a lot like "NAT doesn't really break anything".
For 95% of the users and for users that are behind a firewall especially
a stateful one, where things might be broken before they reach NAT
anyway.
If I pretend I'm a regular user for a minute, I can tell
you this is not the case. When I used NAT for my Powerbook
Powerbook: 2% of the market. You are not what I call a regular user.
Vendors are not going to double the dev and support cost of a $25 NAT
box to support everything man ever invented. Macs just don't have enough
of a market share to be in the radar of the el-cheapo NAT box.
Given the market place realities the IETF should be careful to
make its protocols interoperate with NAT whenever possible, but
don't think for a minute that adding NAT workarounds solves the
problem completely.
I don't.
Here in the Netherlands ISPs generally give out a single real IP
address to their customers, but most customers use a DSL or
cable modem with NAT or an additional NAT router or wireless base
station so they can connect more than one computer. Despite some
individual reports to the contrary, I believe the same is true for
most IP users.
So do I. At least in Europe and North America.
However, some ISPs already perform NAT for their customers in
their network, and that's only going to increase as IPv4 addresses
become more scarce and eventually run out completely.
In some countries.
At that point, many people will be behind two layers of NAT.
Predictable. Works to check email and surf the web; more difficult to
host services.
Also, reserving ports will be very hard because many systems
share one real IP address. Maybe it's just me, but I don't see
the IETF or anyone else for that matter coming up with something
that allows communication between two people who are both behind
two layers of NAT with any modicum of reliability.
Matter of money once again: Pay 5 bucks a month to have your public IP
or pay nothing to have 16 ports forwarded to your private IP behind NAT.
When configuring apps you just have to use these 16 ports instead of
picking randomly in the high range. It's el-cheapo crap solution but
still would deliver enough for 95% of the demand. Frankly, half of my
relatives would not need more than this.
So in addition to supporting NAT where reasonably possible, the
IETF should also continue to plan for a future where there is
enough address space to make NAT unnecessary. However, universal
reachability isn't coming back even if NAT is out of the picture
because people love to run firewalls that break way more stuff
than intended.
Which is partly why there are few non-NAT firewalls, as the firewall
already breaks mostly the same things NAT does, which makes NAT a lot
less inconvenient than alone. No market, as people who can deal with a
firewall can likely deal with NAT at the same time.
Michel.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf