On 1/17/13 6:21 PM, "William Herrin" <b...@herrin.us> wrote:
>On Thu, Jan 17, 2013 at 11:01 AM, Lee Howard <l...@asgard.org> wrote: >> On 1/17/13 9:54 AM, "William Herrin" <b...@herrin.us> wrote: >>>On Thu, Jan 17, 2013 at 5:06 AM, . <oscar.vi...@gmail.com> wrote: >>>> The people on this list have a influence in how the Internet run, hope >>>> somebody smart can figure how we can avoid going there, because there >>>> is frustrating and unfun. >>> >>>"Free network-based firewall to be installed next month. OPT OUT HERE >>>if you don't want it." >> >> I haven't heard anyone talking about carrier-grade firewalls. To make >>CGN >> work a little, you have to enable full-cone NAT, which means as long as >> you're connected to anything on IPv4, anyone can reach you (and for a >> timeout period after that). And most CGN wireline deployments will have >> some kind of bulk port assignment, so the same ports always go to the >>same >> users. NAT != security, and if you try to make it, you will lose more >> customers than I predicted. > >Hi Lee, > >Then it's a firewall that mildly enhances protection by obstructing >90% of the port scanning attacks which happen against your computer. >It's a free country so you're welcome to believe that the presence or >absence of NAT has no impact on the probability of a given machine >being compromised. Of course, you're also welcome to join the flat >earth society. As for me, the causative relationship between the rise >of the "DSL router" implementing negligible security except NAT and >the fall of port scanning as a credible attack vector seems blatant >enough. CGNs are not identical to home NAT functionality. Home NATs are frequently restricted cone NATs, which is why uPNP or manual port-forwarding are required. CGNs for residential deployments are full cone NATs, so that this problematic applications are less problematic. See http://en.wikipedia.org/wiki/Network_address_translation and draft-donley-nat444-impacts. > > >>>It's not a hard problem. There are yet plenty of IPv4 addresses to go >>>around for all the people who actually care whether or not they're >>>behind a NAT. >> >> I doubt that very much, and look forward to your analysis supporting >>that >> statement. > >If you have the data I'll be happy to crunch it but I'm afraid I'll >have to leave the data collection to someone who is paid to do that >very exhaustive work. I don't have any data that might support your assertion, which is why I'm calling you on it. > >Nevertheless, I'll be happy to document my assumptions and show you >where they lead. > >I assume that fewer than 1 in 10 eyeballs would find Internet service >behind a NAT unsatisfactory. Eyeballs are the consumers of content, >the modem, cable modem, residential DSL customers. Some few of them >are running game servers, web servers, etc. but 9 in 10 are the email, >vonage and netflix variety who are basically not impacted by NAT. Netflix seems to have some funny interactions with some gateways and CGN. [nat444-impacts] What about p2p? > >I assume that 75% or more of the IPv4 addresses which are employed in >any use (not sitting idle) are employed by eyeball customers. Verizon >Wireless has - remind me - how many /8's compared to, say, Google? The same number: 0. I don't know how many addresses VZW has, but I could look it up in Whois if I knew the orgID. How'd you get 75%? > >If you count from the explosion of interest in the Internet in 1995 to >now, it took 18 years to consume all the IPv4 addresses. Call it >consumption of 1/18th of the address space per year. You're going with linear growth? See nro.net/statistics. >Is it more like 1 in 5 customers would cough up >an extra $5 rather than use a NAT address? The nearest comparable >would be your ratio of dynamic to static IP assignments. Does your >data support that being higher than 1 in 10? I'd bet the broad data >sets don't. If an ISP is so close to running out of addresses that they need CGN, let's say they have 1 year of addresses remaining. Given how many ports apps use, recommendations are running to 10:1 user:address (but I could well imagine that increasing to 50:1). That means that for every user you NAT, you get 1/10 of an address. Example: An 10,000-user ISP is growing at 10% annually. They have 1,000 addresses left, so they implement CGN. You say to assuming 90% of them can be NATted, so next year, 100 get a unique IPv4 address, the other 900 share 90 addresses. At 190 addresses per year, CGN bought you five years. I think your 90% is high. If it's 70%, you burn 370 per year. That doesn't include the fact the increased support costs, or alienated customer cancellations, or any of the stuff I talked about in TCO of CGN. Lee
