[LINK] There goes the neighbourhood...

Karl Auer kauer at biplane.com.au
Wed May 11 21:48:33 AEST 2011 

On Wed, 2011-05-11 at 19:58 +1000, Kim Holburn wrote:
> If both the source and destination are private then no amount of
> stuffing is going to help.  Packets need the right addresses.  Putting
> the IP addresses in the data doesn't help anyone.  Routers don't have
> access to the data, only the headers.  I'm not sure why the designers
> of those protocols did that.  It was probably before the widespread
> use of NAT.  Still a lot of P2P protocols get around the problem of
> both parties being behind a NAT.

Kim, forgive me if this is way off the mark, but you are starting to
sound like someone who doesn't actually know what they are talking
about.

Lots of very clever people put IP addresses in payloads; it is not a
sin, and it is a sensible solution to many problems. In networking as in
computing generally, there are many situations where a self-referential
solution is the right solution. Crypto is the poster-child for that, or
course.

NAT, however, breaks such protocols. Many protocols worked that way and
still work that way, and each and every one of them required a different
ALG to be added into every NAT device on the planet. It is not the
protocols that were broken, it was and is NAT that is broken.

The network *should* be transparent by default. Of course people add NAT
and firewalls and load balancers and what have you, but it is *their
problem* to work properly - that is, to either preserve or to accurately
fake network transparency. NAT does neither (unless you count port
forwarding).

As to P2P protocols getting around NAT - well, yes. That's the problem.
Instead of being literally peer-to-peer, these protocols must jump
through all sorts of complicated hoops. If they did not have to do that,
they would be simpler, faster and more reliable (and that's just the
beginning).

> But will present a lot of people with other problems - like it will
> break the old internet adage: "On the internet nobody knows you're a
> dog."  NAT isn't all bad.

Actually NAT *is* pretty much all bad. Not sure what you mean about
dogs. NAT has one saving grace[1] - it multiplexes few addresses into
many. That need was dire in IPv4; that need will disappear with IPv6.
The fates willing, NAT will disappear too.

> > OK, they could have embedded DNS names instead of IP addresses
> 
> No they couldn't have, that just adds a DNS lookup to the mix.  If you
> can make a connection you only need the IP addresses in the headers.
> If you can't make a connection it doesn't matter. 

You miss the point in your first sentence, but even if you hadn't, the
DNS idea would still be bad :-)

But to make a connection - at least, an inbound connection through NAT -
you need MORE than the IP addresses in the headers.

Regards, K.

[1] Please don't trot out "NAT is security". We had that discussion in
excruciating detail on Link last year. I'm sure you can find it in the
archives.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)                   +61-2-64957160 (h)
http://www.biplane.com.au/kauer/                   +61-428-957160 (mob)

GPG fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687
Old fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <https://mailman.anu.edu.au/pipermail/link/attachments/20110511/047dc562/attachment.sig>

More information about the Link mailing list