Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Impending IP Crisis

Posted by ryuzaki0 on from the ominous-chords-go-here dept.

Factomatic writes "With the supply of IP addresses expected to run out by 2005 due to the popularity explosion of the Internet and the expectation that everything from your phone to your washing machine will soon have its own IP address, Alex Lightman, CEO of Charmed Technology and chairman of last month's North American IPv6 Global Summit tells the New York Times "we're going to need something like 100 IP addresses for each human being." IPv6 will increase the supply of addresses from 4 billion today to a number in excess of 35 trillion that is "so big that there's not a word for the number," says Cody Christman, director of product engineering for Verio, which offers IPv6 in San Francisco, Washington and elsewhere. The article is a good layman's backgrounder on the looming IP crisis."

4 of 765 comments (clear)

  1. Crisis my ass, Ever hear of NAT? by nurb432 · · Score: 0, Redundant

    Seriously though, every device on the face of the planet does *not* need its own private address. ( or have an IP at all, but that's a different discussion )

    Of the devices that really need outside connectivity, I bet less then 1/3 need their own, so NAT will take care of the other 2/3.

    --
    ---- Booth was a patriot ----
  2. Re:Duplicate story... by Merk · · Score: 0, Redundant

    The workarounds for many of these problems exist, but they're not solutions, they're workarounds.

    Which is easier to type? "ssh box1.mydomain.com" or "ssh nat.mydomain.com -p 10022"? Using a default port for various services is a very handy thing. Most programs assume the default port for a given service, and when they do offer an alternative sometimes you have to dig around in the "advanced" menu to choose it. For a while in Mozilla there was no obvious way to choose a non-standard mail port, for example. If I want to let my mom use a mail server i'd rather just give her a machine name rather than have to make it complicated.

    The "use sftp/scp" solution fails the mom test too. If I want to allow my mom to upload pictures of the latest trick the dog learned, I'd like to be able to say "Ok mom, open up Safari. Ok, now type: ftp, colon, double forward slash (the ones that lean to the right mom), then ftp dot mydomain dot com..."

    Aside from those difficulties, NAT is just a hella-inelegant solution. The way the TCP/IP and UDP/IP were designed, machines are distinguished by an address, services are distinguished by a port. It's simple, clean, easy to use... NAT breaks that model.

    Do most off-the-shelf routers use IPTABLES? If so, that's great, but kinda useless. The configuration interface they offer doesn't let me do what I want to do with IPTABLES. If I can't tweak the settings the way I like then it's essentially not running a firewall as far as I'm concerned.

    As for getting hacked through the NAT box, it's easy. Someone port-forwards mail, web and filesharing through the box to their desktop machine. Suddenly any mail exploit is available to the Internet. The user feels comfortable because they've got a firewall, but the "firewall" just forwards all malicious traffic right to the target machine.

    The only firewall-like capability that the off-the-shelf NAT routers offer is that ports are not explicitly open like they are on Windows machines. But that's a pretty weak form of protection.

    The no-NAT model of communication is so much more straightforward. If I want to get a packet from machine A to machine B, I fill in the appropriate headers, and voila. NAT adds complexity that really doesn't need to be there. It also severely reduces the flexibility of the whole system.

    NAT has its places, but it is not the solution to every problem. It is good for allowing web browsing from a non-routable IP address, Anything more complicated than that becomes a bigger and bigger headache. Why bother with the headache, just use a real firewall and make all the address routable!

  3. Re:Duplicate story... by asdfghjklqwertyuiop · · Score: 0, Redundant

    the sshd thing is simple to solve. change the bloody port on each server. do you have to use 22?

    Gotta ssh into one of my machines at home. What port was that on again? 8022? 9022? Can't remember... I'll just try 8022 and see... oops, 8022 is machine X, 9022 must be the machine I want. Port numbers are so much more intuitive than hostnames.

    Time to add a new machine to the network. Its running sshd. Gotta log into the NAT router and figure out what port can be used. And remember that it was that port.

    Boy, that is so simple. Almost as simple as just sshing to machinex.domain or machiney.domain.

    fsck ftp. use sftp. and scp.

    Yeah, just fsck every other protocol too that happens to assume that the network is set up the correct way.

  4. Re:Duplicate story... by Merk · · Score: 0, Redundant

    Regarding my mother: she's good enough to use IE to upload a file using FTP (if I walk her through it). I'd be the one setting up port-forwarding so she can upload the file to me. She would not be able to do SFTP or SCP because there's no friendly GUI for doing it already loaded onto her computer.

    I'm not sure what you mean about a single point of reference for networks. If you mean all traffic should flow through a small number of routers, sure. If you mean that most machines should be behind a NAT box, I don't agree. I think they should be behind a firewall, but NAT shouldn't be used instead of a firewall.