[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


----- Original Message -----
> From: "Matthew Palmer" <mpalmer at hezmatt.org>
> You're thinking too small -- it's not that individual TCP connections
> have
> problems, it's that the ability to solve a given problem using
> connections
> and UDP packets is badly constrained by a lack of end-to-end
> connectivity.
> The proof is fairly obvious in the number of hacks that have been
> deployed
> to try and get around NAT's inadequacies: Skype supernodes, STUN, all
> the
> various conntrack helpers in netfilters, etc etc etc.

At last, some meat.  :-)

> Now, if you decide that none of those applications are important to
> you,
> sure, you can firewall them off as appropriate. But the pervasive
> deployment of NAT means that the set of problems that can be solved is
> constrained, and of the problems that *can* be solved, the solutions
> tend to
> be more complicated, harder to implement, understand, and so on, which
> has a
> cost to the community (higher prices, less solved problems, whatever
> your
> desired metric may be). I think that's what Blake is getting at with
> his TotC.

Perhaps.  I'm not sure that the collective importance of that difficulty
outweighs the collective danger of making all nodes of the Internet *as it
presently exists* publicly routable.

I don't know whether it's occurred to people that if you make every node
on the present day Internet routable, then *you've made every node on the
present day Internet routable*; the number of machines subject to 
more or less direct attack goes up (by a jackleg estimate I've just now
made up) by between 3 and 5 orders of magnitude.

I make jackleg estimates all the time; I don't believe I've ever had to 
say "5 orders of magnitude".

> Of course, I'm a tiny bit of a skeptic, as I really can't see how a
> stateful
> firewall can know which other connections / packets are related
> without a
> lot of the same dodgy shenanigans that goes on now, but at least if
> you've
> gotten rid of the 1-to-N address mangling a fundamental stumbling
> block is
> removed and people can get on and solve the remaining (tractable)
> problems.

That is problematic as well, isn't it?

It speaks directly to the attack-surface comment I just made in another reply.

I'm going to bed now, which will reduce the number of replies the "aw crap,
is he really going to beat this dead horse again?" crowd will have to
skip.  :-)

-- jra