[GTALUG] NAT [was Re: Linux hardening question]
D. Hugh Redelmeier
hugh at mimosa.com
Sun Jul 2 10:29:00 EDT 2017
| From: James Knott via talk <talk at gtalug.org>
| On 07/01/2017 05:38 PM, D. Hugh Redelmeier via talk wrote:
| > For example, Rogers at home (the first broadband service for consumers in my
| > area)
I'm wrong. Rogers Wave was the first in my area (1997 or 1998, I
think). It was rebranded in 2000 to Rogers @ Home.
| These days, I get a /56 prefix from Rogers.
I'm not sure why I don't get IPv6 from Rogers. I intend to look into
that -- probably I've misconfigured something on my gateway (a PC
running CentOS 7; the cable modem is running in bridge mode).
My IPv4 /24 is globally assigned. That's not going to happen with
IPv6.
| > Pretty soon people wanted to run LANs at home BUT they were Microsoft LANs
| > -- not safe in public. So naturally a broadband router-with-NAT made a
| > lot of sense.
|
| Back in those days, Microsoft networks did not use IP. I recall
| reading, while at IBM, what went into making it IP compatible. (I had
| access to a lot of technical info, when I worked at IBM.)
Was that still true in 1997? I thought by Windows for Workgroups 3.11
had a TCP/IP stack and Windows 95 must have (but I didn't use
Windows).
| > NAT actually damages the internet's original design. Nodes are peers, not
| > clients or servers. But only initiators (clients, roughly speaking) can
| > be behind NAT. So many protocols have had to be butchered to survive NAT.
| >
| Yep, you may recall the days when FTP wouldn't work through NAT.
Right. But part of that is that FTP was a very early protocol and was
not designed that well. Even an FTP client can't survive NAT without
the NATting box having special-purpose code to rewrite things inside
the FTP packets.
| However, the address limitation of IPv4 was recognized well over 20
| years ago and led to the development of IPv6. As I mentioned, I first
| heard of it in 1995. You may want to see what Vint Cerf has to say
| about it. He's been regretting 32 bit addresses for many years.
Of course IPv6 is a Good Thing. But change is hard, especially if one
sees no immediate personal benefit.
I think that it is even worse that we don't use DNSSec. The security
implications of not securing DNS seem enormous.
And while listing currently lost causes, I really wish we'd gotten to
Opportunistic Encryption.
| Incidentally, I first heard about NAT when I saw a dial up NAT router,
| at Computer Fest in 1996.
I miss Computer Fests.
| Also, at IBM, I had 5 static IPv4 addresses, 1 for my computer and 4 for
| testing in my work. I similarly had 5 SNA addresses. Back then, my
| computer's address was 9.29.146.147.
I got my /24 before I had a broadband connection. I think that it was
in the late 1980s when I was pondering what IP addresses to stick on
my 2-node LAN. I didn't want to use an RFC 1918 address (this was
before RFC 1918 or even 1597). So I naively asked for some IPs and got
them. It was many years before they were actually routed from the
internet to my LAN.
More information about the talk
mailing list