Re: Why people by NATs
Iljitsch van Beijnum <iljitsch@muada.com> Sun, 28 November 2004 17:39 UTC
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA00277; Sun, 28 Nov 2004 12:39:09 -0500 (EST)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CYT5i-0007xv-Bk; Sun, 28 Nov 2004 12:44:06 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CYSxT-0007CS-OF; Sun, 28 Nov 2004 12:35:35 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CYSry-0006Wx-BW for ietf@megatron.ietf.org; Sun, 28 Nov 2004 12:29:54 -0500
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA29733 for <ietf@ietf.org>; Sun, 28 Nov 2004 12:29:52 -0500 (EST)
Received: from sequoia.muada.com ([83.149.65.1]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CYSwc-0007en-Ok for ietf@ietf.org; Sun, 28 Nov 2004 12:34:48 -0500
Received: from [127.0.0.1] (sequoia.muada.com [83.149.65.1]) by sequoia.muada.com (8.12.10/8.12.10) with ESMTP id iASHTnQx036566; Sun, 28 Nov 2004 18:29:51 +0100 (CET) (envelope-from iljitsch@muada.com)
In-Reply-To: <27AD6878-3CF5-11D9-B15D-000D93AFB5EC@ohiou.edu>
References: <2EA0C9D5AD898E4C8D3D1E893DB62707015B42DD@df-chewy-msg.exchange.corp.microsoft.com> <20041122200818.GB9185@thyrsus.com> <20041122201052.GJ13392@eff.org> <6.2.0.14.2.20041122145720.05de8ac8@mira-sjc5-b.cisco.com> <27AD6878-3CF5-11D9-B15D-000D93AFB5EC@ohiou.edu>
Mime-Version: 1.0 (Apple Message framework v619)
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Message-Id: <150EC790-4163-11D9-B165-000A95CD987A@muada.com>
Content-Transfer-Encoding: 7bit
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Sun, 28 Nov 2004 18:29:39 +0100
To: Hans Kruse <kruse@ohiou.edu>
X-Mailer: Apple Mail (2.619)
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8abaac9e10c826e8252866cbe6766464
Content-Transfer-Encoding: 7bit
Cc: ietf@ietf.org
Subject: Re: Why people by NATs
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 39bd8f8cbb76cae18b7e23f7cf6b2b9f
Content-Transfer-Encoding: 7bit
I'm sorry to reply so long after the fact, but... On 23-nov-04, at 3:12, Hans Kruse wrote: > However, most SOHO sites look for a zero-order level of protection > against the random worm trying to connect to an open TCP port on the > average windows machine (especially one set up for file/print sharing > on the SOHO network), and NAT does that just fine. > IPv6 marketing has to take this into account, with a deliberate "here > is why the IPv6 gateway provides the same default protection as > NAT..." FAQ entry. Actually in IPv6 you are well-protected against random scanning withough the need for any device in the middle: a /64 subnet is so large, that scanning it is completely infeasible. Now of course someone who knows your address doesn't have to scan, so this protection isn't complete. But for TCP it's entirely trivial to only allow sessions to be set up in one direction. Full stateful firewalling is of course also possible. However, both these options bring back some of the downsides of NAT: in order to make incoming sessions possible, there must be configuration of some sort. A default filter that rejects packets for services that are generally intended for local use only would probably be good enough for a residential IPv6 router. Other services are either not enabled and/or firewalled in the host anyway, or the user actually wants them to work. (It would be incredible helpful to have all these local-use services in a fixed range of port numbers for easy filtering...) _______________________________________________ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
- RE: Why people by NATs Peter Ford
- Re: Why people by NATs Eric S. Raymond
- Re: Why people by NATs Chris Palmer
- Re: Why people by NATs Eric S. Raymond
- Re: Why people by NATs JFC (Jefsey) Morfin
- Re: Why people by NATs Eliot Lear
- The gaps that NAT is filling Eric S. Raymond
- Re: Why people by NATs Fred Baker
- Re: The gaps that NAT is filling Paul Vixie
- Re: Why people by NATs Hans Kruse
- RE: Why people by NATs Peter Ford
- RE: Why people by NATs shogunx
- Re: The gaps that NAT is filling Margaret Wasserman
- Re: The gaps that NAT is filling John C Klensin
- Re: The gaps that NAT is filling Jeroen Massar
- Re: The gaps that NAT is filling Melinda Shore
- RE: Why people by NATs Tony Hain
- Re: Why people by NATs Daniel Senie
- Re: Why people by NATs Jeroen Massar
- RE: Why people by NATs Michel Py
- RE: Why people by NATs Jeroen Massar
- Re: Why people by NATs Leif Johansson
- Re: Why people by NATs Jeroen Massar
- RE: Why people by NATs Michel Py
- Re: Why people by NATs JFC (Jefsey) Morfin
- Re: Why people by NATs Valdis.Kletnieks
- Re: Why people by NATs JFC (Jefsey) Morfin
- Re: Why people by NATs Leif Johansson
- Re: Why people by NATs Iljitsch van Beijnum
- Re: The gaps that NAT is filling Iljitsch van Beijnum
- Re: The gaps that NAT is filling Kai Henningsen
- Re: The gaps that NAT is filling Kai Henningsen
- Re: Why people by NATs Kai Henningsen
- RE: Why people by NATs Michel Py
- Re: Why people by NATs Stephen Sprunk
- Re: The gaps that NAT is filling Stephen Sprunk
- Re: Why people by NATs Iljitsch van Beijnum
- Re: The gaps that NAT is filling Iljitsch van Beijnum
- Re: The gaps that NAT is filling Simon Leinen
- Re: The gaps that NAT is filling Iljitsch van Beijnum