[ale] Looking for advise on domain names and other info wrt local network.

Michael B. Trausch mike at trausch.us
Mon Aug 11 00:28:23 EDT 2008 

On Sun, 2008-08-10 at 22:43 -0400, Forsaken wrote:
> And with your point being that the internet was designed to allow a
> large group of machines to communicate with each other.... well,
> you're
> right. And NAT actually enhances that. Because seriously, if NAT
> hadn't been developed, then we would have exhausted the ipv4 space
> years ago (and I'll ignore the benefit of NAT when it comes to
> integrating two networks with the same RFC1918 addressing scheme)

I must have missed the short bus somewhere here.

NAT doesn't enhance communication, it _breaks_ it.  The Internet was
designed for things to be end-to-end.  Protocols that depend on the
end-to-end functionality of the Internet break without some nasty
middleware between the client and server (or two peers) working to
rewrite packets.  That also means that for such protocols, cryptography
cannot be used for the payload, because then the packets can't be
re-written.

IPv6 is designed to last for a long time, and it's expected that it will
have to be replaced, too.  Given that there is 128 bits worth of address
space in there, though, and that is broken down into network names of at
most 64 bits, it's expected to last for a while.  It'll be around for a
very long time if we never leave the planet, since if we had that many
people and that many machines, we'd probably not have the resources to
sustain it all---after all, we don't have the resources to sustain life
indefinitely as it is, with the numbers we have now.

And, I'm totally lost on the benefit of NAT when merging two networks
that are the same non-routable address block.  If I have two networks
that are 10.0.0.0/8 and I am merging them together, there's going to be
a lot of collisions, and likely a lot of renumbering.  IPv6 has
facilities to deal with that so that there doesn't have to be
renumbering at the node level, and all that has to change is the network
number when you merge any two networks together into a single network.
There is the potential for _some_ renumbering of node numbers, but not
nearly as much.  A given node will have a node ID that is related to the
MAC address it carries if the configuration is done by stateless
autoconfiguration.  You can also hand out IPv6 addresses using DHCP or
by using manual configuration, if you really want.  Though, stateless
auto-config is nice and easy, if you need nodes that do not require
names and pull things.  Otherwise, you can use a DHCP+DNS setup (like
you get with the ISC tools).

Also, you've private network addresses already built-in to
IPv6---they're called link-local addresses---but they're not meant for
use on the general Internet, and you have one even if you have a global
address.  They're meant for Intranet-type things.  Want to run services
privately?  Bind them to the link-local address.  Want them to be
public?  Bind them to the global address, if you've got one.  This way,
you can keep things private without NAT.  If you're worried about nodes
on your network exposing services that aren't under the network
operator's control, you can use packet filtering to prevent them from
being connected to from outside sources.

I've used IPv4 for all of my life, and most of the time that I have been
using it, NAT has been around.  I'd like to say that I remember the days
before NAT with absolute clarity, but to be honest, I was a dialup user
then and fairly new to networking.  But, ever since I ran into my first
NAT, I was really unhappy with the way Internet access worked through
it.  I've wanted to see it go away ever since I ran into it, really.
The only thing that NAT is useful for is stretching the address space
beyond its designed limit, and it's served us well in that regard.
However, everything else that it does can be done by a properly
configured packet filtering router, be that a small appliance from
Linksys or a full-blown system running some variant of Unix (well, you
_could_ use Windows, but I don't know why you would if you're concerned
about network security in the first place).

	--- Mike

-- 
My sigfile ran away and is on hiatus.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20080811/a5877d31/attachment.bin

More information about the Ale mailing list