[159666] in North American Network Operators' Group
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
daemon@ATHENA.MIT.EDU (Lee Howard)
Thu Jan 17 11:03:46 2013
Date: Thu, 17 Jan 2013 11:01:10 -0500
From: Lee Howard <Lee@asgard.org>
To: William Herrin <bill@herrin.us>, "." <oscar.vives@gmail.com>
In-Reply-To: <CAP-guGUvFZLFzv49s8n9CTqZd_LMwR3Zhs0LhRWZ7J8H0=rx1Q@mail.gmail.com>
Cc: North American Network Operators' Group <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 1/17/13 9:54 AM, "William Herrin" <bill@herrin.us> wrote:
>On Thu, Jan 17, 2013 at 5:06 AM, . <oscar.vives@gmail.com> wrote:
>> The people on this list have a influence in how the Internet run, hope
>> somebody smart can figure how we can avoid going there, because there
>> is frustrating and unfun.
>
>"Free network-based firewall to be installed next month. OPT OUT HERE
>if you don't want it."
I haven't heard anyone talking about carrier-grade firewalls. To make CGN
work a little, you have to enable full-cone NAT, which means as long as
you're connected to anything on IPv4, anyone can reach you (and for a
timeout period after that). And most CGN wireline deployments will have
some kind of bulk port assignment, so the same ports always go to the same
users. NAT != security, and if you try to make it, you will lose more
customers than I predicted.
>
>It's not a hard problem. There are yet plenty of IPv4 addresses to go
>around for all the people who actually care whether or not they're
>behind a NAT.
I doubt that very much, and look forward to your analysis supporting that
statement.
Lee
>
>Regards,
>Bill Herrin
>
>
>--
>William D. Herrin ................ herrin@dirtside.com bill@herrin.us
>3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
>Falls Church, VA 22042-3004
>
>
