[GTALUG] NAT [was Re: Linux hardening question]

[James Knott]

On 07/02/2017 10:29 AM, D. Hugh Redelmeier via talk wrote:
> | From: James Knott via talk <talk at gtalug.org>
>
> | On 07/01/2017 05:38 PM, D. Hugh Redelmeier via talk wrote:
>
> | > For example, Rogers at home (the first broadband service for consumers in my 
> | > area)
>
> I'm wrong.  Rogers Wave was the first in my area (1997 or 1998, I
> think).  It was rebranded in 2000 to Rogers @ Home.
>
> | These days, I get a /56 prefix from Rogers.
>
> I'm not sure why I don't get IPv6 from Rogers.  I intend to look into
> that -- probably I've misconfigured something on my gateway (a PC
> running CentOS 7; the cable modem is running in bridge mode).

Call Rogers.  IPv6 is available to everyone, but some modems may have to
be replaced.  If you use a separate router, it has to support DHCPv6-PD,
as that's how the prefix is assigned.  I use a refurb computer running
pfSense.

BTW, when I got a new modem, a little over a year ago, it was part of a
bundle that, while providing pretty much the same service, cost me about
$50 less per month.
>
> My IPv4 /24 is globally assigned.  That's not going to happen with
> IPv6.

Actually it does.  I have no problem reaching computers on my LAN when
I'm elsewhere.  With Rogers you can have a /64 to /56 all to yourself
and they are all globally unique and reachable from anywhere in the world.

BTW, with the Rogers modem/routers in router mode, you only get a /64. 
With a separate router, you can select any prefix size, between /64
(2^64 addresses and /56 (2^72).

Also, the Rogers cell network also supports IPv6 and, with the newer
phones, even tethered devices get IPv6 addresses.
>
> | > Pretty soon people wanted to run LANs at home BUT they were Microsoft LANs 
> | > -- not safe in public.  So naturally a broadband router-with-NAT made a 
> | > lot of sense.
> | 
> | Back in those days, Microsoft networks did not use IP.  I recall
> | reading, while at IBM, what went into making it IP compatible. (I had
> | access to a lot of technical info, when I worked at IBM.)
>
> Was that still true in 1997?  I thought by Windows for Workgroups 3.11
> had a TCP/IP stack and Windows 95 must have (but I didn't use
> Windows).

Yes, up to 3.x, TCP/IP was an option, because ol' Billy didn't think the
Internet was going anywhere.  It was standard in W95 and later.
>
> | > NAT actually damages the internet's original design.  Nodes are peers, not 
> | > clients or servers.  But only initiators (clients, roughly speaking) can 
> | > be behind NAT.  So many protocols have had to be butchered to survive NAT.
> | >
> | Yep, you may recall the days when FTP wouldn't work through NAT. 
>
> Right.  But part of that is that FTP was a very early protocol and was
> not designed that well.  Even an FTP client can't survive NAT without
> the NATting box having special-purpose code to rewrite things inside
> the FTP packets.
Passive vs active mode.
>
> | However, the address limitation of IPv4 was recognized well over 20
> | years ago and led to the development of IPv6.  As I mentioned, I first
> | heard of it in 1995.  You may want to see what Vint Cerf has to say
> | about it.  He's been regretting 32 bit addresses for many years.
>
> Of course IPv6 is a Good Thing.  But change is hard, especially if one
> sees no immediate personal benefit.
>
> I think that it is even worse that we don't use DNSSec.  The security
> implications of not securing DNS seem enormous.

As I understand it, that's coming.  In another thread (possibly openSUSE
list) I was discussing SMTP ports.  One person was claiming only port 25
was required, with StartTLS, but due to security concerns, the move to
full TLS & DNSSec is recommended.
>
> And while listing currently lost causes, I really wish we'd gotten to
> Opportunistic Encryption.
>
> | Incidentally, I first heard about NAT when I saw a dial up NAT router,
> | at Computer Fest in 1996.
>
> I miss Computer Fests.
>
> | Also, at IBM, I had 5 static IPv4 addresses, 1 for my computer and 4 for
> | testing in my work.  I similarly had 5 SNA addresses.  Back then, my
> | computer's address was 9.29.146.147.
>
> I got my /24 before I had a broadband connection.  I think that it was
> in the late 1980s when I was pondering what IP addresses to stick on
> my 2-node LAN.  I didn't want to use an RFC 1918 address (this was
> before RFC 1918 or even 1597).  So I naively asked for some IPs and got
> them.  It was many years before they were actually routed from the
> internet to my LAN.
>
Back in the early days, it wasn't hard to get multiple addresses.  It
was later, with the shortage looming, that they got stingy with
addresses.  Back in the dial up days, I originally had a static address,
but one of the reasons for ISPs moving to dynamic addresses was to free
them up, when someone disconnected.  BTW, contrary to popular belief,
DHCP was not used with dial up.  You just got whatever address was
assigned to the port you connected to.  Many years ago, I set up a dial
up "terminal server", on Red Hat, and had to configure the address for
the port to use, along with proxy arp.