DISCLAIMER You must accept the following prior to using the above optimization. Don't try this home. The poster disclaims all warranties, regarding merchantability, fitness for any purpose, noninfringement, etc.
The above optimization must not be used in a production computing environment, or where computers provide essential services.
By considering the above optimization, you agree to indemnify and hold the poster harmless.
All computing environments are different.
Utilizing this optimization may void your system warranties or support agreements already in place.
The efficacy of this optimization cannot be guaranteed, and in some cases, the optimization may blow up your computer, send red-hot pieces flying in all directions, delete all your files, delete all your neighbor's files, and worse.
By proceeding you agree to be liable for all damages arising out of your use or failure to successfully use this optimization, including but not limited to damages incidental, consequential, interruption of business, or arising out of any tort, involving you or any third party.
The terms of this disclaimer shall be held jointly and severable, if any part of this disclaimer should be held unenforceable, then the remainder shall remain in full force, to the extent possible by law.
3DMark is not a test of average desktop use profile.
I think it would be far more interesting to do a double-blind study, on users utilizing real-world applications, and determine speed difference for actual apps.
Or even, just use a benchmark that tests Office/Desktop apps, instead of just 3D/GPU performance.
Also, interesting would be to 'image' the system before taking it to be optimized...
Then image it again.
Do a complete comparison to determine exactly what was changed during the "optimization"
Registry settings, files, etc.
Determine if any changes were actually made, then go and investigate the merits of each change, with benchmarks taylored to highhlight any effects that change might have
On finding the length of the hypotenuse of a right triangle.
Scope of the invention:
For right triangle with length of two sides denoted by A, B, the length of the hypotenuse denoted by C:
C^2 = A^2 + B^2
and
Abs(C) = Sqrt(A^2 + B^2)
Oh yes.. and my patent on trigonometric functions..
These things I like to call "Sines", "Cosines", "Secants", "ArcSecants", "Tangents", and "ArcTangents".
And PI itself...
Stand back Eolas, i4i, NTP, Unisys, get ready for Mysidia.
Means they can break into people's houses to conduct illegal searches without recourse?
And kidnap Americans, to take them across the border, for interrogation, also without judicial recourse?
Doesn't it?
Congratulations Mr. President... you just made a successful end-run around the constitution's 11th, 14th, 3rd ammendment, 4th ammendment, 5th ammendment, 6th ammendment, and the rule of law.
of course you can - just start routing those blocks somewhere else
Are you prepared to have an army of lawyers protecting your tail, when HP or Xerox sues you, for announcing or allocating their address space?
They will probably get a really big document called an court order against you, and probably police after you, the moment they determine you do that intentionally.
Not to mention, they have enough clout with the Tier 1s, to get your "rogue advertisements" blocked.
They can probably do this, regardless of what any current registry says.
Unless there is government action on the matter, these/8 holders cannot be forced to make those IPs usable by anyone else.
Many-to-one NAT doesn't need to record the outbound IP address, and many simple NAT devices don't, it would require more memory to record the extra information, and more complicated software.
Most NAT devices will simply forward the packet, as long as a mapping exists for the port number the packet is sent to.
A stateful firewall does record the remote IP as part of the NAT table entry.
A stateful firewall also records the state of the connection, deletes the entry from the table when the connection is closed, and doesn't allow packets that don't match a proper TCP connection.
And a stateful firewall can also block outbound traffic that doesn't match a valid TCP sequence.
For example, malware trying to communicate through a back channel that uses stray TCP "ACK" packets
IP addresses are assigned to Points of Presence in cities. Justification to ARIN is based on number of residential users dialing in to the POP.
When the ISP renumbers their dialup customers to use NAT, they will lose "dialup clients" as a justification for possessing all those IP addresses...
Technically, they're supposed to renumber at that point, and return IPs to ARIN that they can no longer justify.
The agreements (RSA) they sign state they can only use the IP addresses for the purpose they used to justify their allocation. So if the justification no longer exists, they must return them, and submit a new request, for their business customers.
In any case, after "taking all the IPs away" and NAT'ing everyone, they will no longer meet the utilization criteria required to (legally) apply for more IP addresses.
It would be to their disadvantage to do this, at least, prior to exhaustion.
Not only does it nick their ability to apply for new IPs, but it may hurt their residential ISP business, if they do this alone.
Many real-world internet applications, including games, chat apps, peer to peer, etc, rely on having public IP addresses.
Users of broadband routers at home, often find they need to forward ports, or use a UpNP-enabled router, that their software supports.
To have proper end-to-end connectivity of these hosts, public addressable IPs are an absolute requirement.
NAPT was a kludge due to the limitation of IPs, that compromises the end-to-end principal, it compromises the fundamental design principals of the internet, and hosts with RFC1918 IPs and the like are not truly internet connected.
Non publicly addressable IPs don't have proper connectivity.
If your Car, Camera, etc, don't have publicly addressable IPs, then you can't connect to them from off-net, which defeats the point of having them internet connected in the first place.
so it's not a problem to cut piece of cake from those ip ranges.
Yeah it is a problem; addresses can't be taken from them at all.
They have been allocated those ranges, and they were granted under the authority of the US DoD itself.
I don't think any of the/8 holders have said anything on the subject @ the ARIN-PPML.
But a lot of holders of one legacy/24 are extremely vocal on the subject, and claim since they were granted under authority of US DoD, by IANA at the time, without any terms, only the US DoD itself, none of the current registries can force them to obey current rules (including utilization rules) or return addresses, without violating laws.
Make no mistake, IP addresses from these allocations cannot be recovered by force.
Maybe with a 10-year legal battle.
By the time the legacy holders stopped fighting, V4 would be exhausted anyways.
Of course there is - it allows all manner of insecure and misconfigured gear to avoid being probed from the other side of the planet?
It is much better to use a real stateful firewall for this, with a complete stateful firewall table, rather than rely on mickey-mouse techniques such as NAT.
If the 'misconfigured' gear makes any outside connections whatsoever, NAT gear can be tricked to allow an outbound probe to it.
The key is NAT works by creating a (LOCAL):(lport) => (GLOBAL):(glport) entry, when a host on the LAN sends a packet to WAN.
For example, if the print server having IP 192.168.1.1 sends a packet sourced from port 139 to outside IP 192.0.32.10 on some port (destination port is irrelevent)
The NAT device will generate some random local port and make a NAT table entry local-ip lport glport 192.168.1.1 139 1234
If someone on the internet happens to probe "port 1234". What will they be connected to?
192.168.1.1 port 139, of course!
This can result in a lot of unusual security implications for you.
But the most significant one, is thinking you're more secure than you are...
which may be okay, to an extent.
But not only can you be as secure without NAT (using a true stateful firewall), but you can be more secure than simple NAT allows you to be.
NAT won't save us, but there are a lot of expensive technologies that will probably be used when IP addresses become more expensive.
For example... web hosting providers with thousands of servers for user websites.
May start looking into some expensive load-balancing and content switch technologies that support name-based virtual hosting let them use NAT on their webservers.
It means scaling name-based vhosting up even greater than it is today.
The Server end is the hardest to NAT, though.
Every server application will have to adapt to these limited needs, meaning an equivalent to the HTTP host header, for every protocol.
Application proxies will be king, just about everything will be HTTP, other protocols may die-off altogether or be replaced by equivalents that run over HTTP.
End users' internet connections will probably be NAT'ed by their ISPs first... this will even be seen as a revenue generator; since every TCP/UDP connection now uses ISP resources, it will become expected and normal for ISPs to have variable billing based on number of TCP/UDP connections.
Since each IP address can only have 65,530 connections, before source:destination port pairs are used up, and NAT router memory is not free.
Getting a non-NAT'ed IP is a business-level service and requires buying the 65,530 TCP/UDP connection level of service, plus an additional "IP fee".
In reality, the ISPs may force 'buying an IP' after a specified number of connection slots, since the memory usage on their router is more expensive than just assigning a certain IP at a point (if they will actually use all the full 'connection' quota they purchased)
That's already been thought of.
As an ISP, you don't get to just make up whatever rules you want to determine how many IPs you can assign, beyond a certain point, you have to apply RFC 2050, per the name resource policies:
Because it is.
In actuality, need is defined as the minimum number of IP addresses that will be required within a certain period of time in the future, according to Network Engineering plans that get submitted to ISPs (LIRs and RIRs) in order to apply for IPs; efficient utilization means utilizing 80% of the IPs to address internet hosts. IPs that will be required in the near future are needed and part of the justification.
Currently 25% immediate utilization is required after 6 months, 50% required after 1 year.
All existing IP allocations must be 80% utilized.
ARIN NRPM, 4.2.3.1. Efficient utilizationISPs are required to apply a utilization efficiency criterion in providing address space to their customers.
ARIN NRPM, 4.2.3.6 Reassignment to multihomed downstream customers: Under normal circumstances an ISP is required to determine the prefix size of their reassignment to a downstream customer according to the guidelines set forth in RFC 2050. Specifically, a downstream customer justifies their reassignment by demonstrating they have an immediate requirement for 25% of the IP addresses being assigned, and that they have a plan to utilize 50% of their assignment within one year of its receipt.
4.2.3.3. Contiguous blocks:
if a customer moves to another service provider or otherwise terminates a contract with an ISP, it is recommended that the customer return the network addresses to the ISP and renumber into the new provider's address space. The original ISP should allow sufficient time for the renumbering process to be completed before requiring the address space to be returned.
Those/8s and MANY/16s and some/24s are already allocated, they were allocated by the legacy registry under very few or no well-documented conditions. These addresses have no registry policy associated with them, they were basically granted without the recipients having to sign any agreement in many cases.
In case there was an agreement, the recipients of the legacy IP addresses (probably) either destroyed it or (conveniently) won't offer it, in any case, SELFISH BEHAVIOR is the norm.
Some of those/8 recipients themselves, and of course lots of very loud concerned single/24 recipients deem (on arin-ppml policy mailing list) ARIN to have no authority over their addresses, of course this is a self-serving position, and also results in them not having to pay any fees like everyone else (who received allocations since the late 90s) does.
But another potential consequence is, ARIN can't try to force them to renumber or take addresses back, and then re-assign them, without a 10-years protracted legal battle, with some of the largest, most influential corporations on earth, most likely.
The resulting internet instability would not be worth it the small delay in exhaustion, probably.
So in a word... the only way to get any IP addresses back is voluntary altruistic action from those companies, returning IP addresses back to the registries, that probably they could otherwise profit from.
Now tell me this... do you think Hewlett-Packard Company, Xerox, Ford, Apple, Level 3, GE, IBM, Halliburton Company, E.I. duPont , Bell-Northern , Interop, Bell-Northern, Prudential, and USPS...
Will go through the (potentially large) expense of renumbering their networks to consolidate, free up as much of their/8 as possible, and return it to IANA, as an altruistic action?
Despite the fact, that an IPv4 shortage could turn the resource they are sitting on into a very valuable asset, they could rent out piecemeal to ISPs all over the world, or to "IP Address" brokers....?
Despite the fact their Legacy IPs have special privileges that no modern-day IP address allocations have.
For example, they can allocate however they want, without having to justify to anyone, they don't have to require justification from anyone and can allocate on whatever is the most profitable to them, plus they don't have to pay any fees, ever...
Whereas, if the internet ever switches to IPv6, they will lose all their legacy rights. And have to sign this gargantuan registry services agreement and pay huge annual allocation fees for their IPv6 space, just like everyone else...
Yeah, ARIN currently _waives_ fees for IPv6, by 'charging the lesser' of V4 and V6, but they can see beyond that, it won't last forever -- and the legacy registrants who currently have free IPs will start having to pay for V6, if V6 ever catches on.
It's in their best interest to keep V4 around, but not by voluntarily returning addresses, but by profiting from them, and massively increasing the fragmentation of the global routing tables in the DFZ.
the ISPs can then claw back IPs from less lucrative customers and give them to more lucrative ones.
There's a term for that, it's called: Fraud.
And I hope ARIN counts on that it will happen.
I'm sure policies are already being considered as we speak, to provide for auditing of ISPs to validate compliance with the Registry Services agreements the ISPs signed.
It's a violation of the ARIN agreement ISPs have to sign, to give a customer more IP addresses than they have justified need for, just because you want to get a bigger PA allocation.
Allocations are provided to ISPs for re-assigning. Once re-assigned, the IPs belong to the end user, for use with services provided by the ISP.
The netblock belongs to the end user, as long as they keep services with the ISP, ARIN does not require them to return the addresses.
If the ISP retained the right to take back the IPs, then they violated the RSA by not properly recording the reassignment of the addresses, eg they never actually assigned them...
What about the non-IT employees who don't frequent Anime sites during business hours, saturate the T1 (or DS3), install "codecs" that are actually Zlob/Vundo, lie to the boss, use juno webmail during business hours, or access tentacle porn?
So why should Slashdot be free and open, while (say), blogs.msdn.com gets blocked?
That, my friend, is the difference between IT and regular employees.
You suggest as if all "regular employees" are inherently like the worst most abusive, security risk employees you ever knew..
People can get tricked by malware popups, even when visiting normal sites by the way. Major web sites have at times frequently fallen prey to ad networks popping up malicious code, sites that probably wouldn't be blocked (like CNN.COM, Yahoo.com, cnet.com,..).
Even IT workers might fall prey to drive-by-downloaders that utilize exploits, unless running NoScript. Oh wait... corporate policy probably doesn't allow mere mortals to install software and therefore use anything except Internet Explorer, Adobe Reader + Flash is mandated, only IT folks can bypass the rule (w/ local Admin access), run FF, use Sumatra/Foxit for PDF reading, and use Flashblock to protect against flash exploits, Oops...
Not everyone is that way... a lot of people use their computers like professionals for 90% business-related functions, and a lot of people are clueful about technology, even those who aren't in IT.
X86 assembly programmers, or people who work on Windows drivers and low-level programming teams in a software/hardware company, would probably contain some of the technically clueful folks who aren't in IT.
In fact, some may be more clueful than IT about certain things. The average IT department
understandably overestimates their competence due to the Dunning–Kruger effect..
And the enterprise should not care at all if they take a 20 minute break to look up something on Wikipedia or visit some Bambi forum.
Yeah... people do deserve these things called breaks sometimes, you know..
especially programmers who spend 14+ hours a day in front of a computer monitor working on the software design with their team, and probably putting a lot more brain power into it than the 40 hrs they get paid for.
Every now and then, finding a distraction to rest their mind for a few minutes, can make them more productive at the primary task.
So physically limiting their surfing behavior is more than some unimportant technology situation, it may actually reduce their morale, and therefore their productivity.
The situation is much more complicated in many cases, than it immediately appears.
It's not obvious that limiting the surfing behavior is a net positive.
Now, if they were putting out shoddy work or no work product at all, and spending 50% of their time at work surfing, yeah, that'd be them abusing their internet access.
Why do we need technical measures?
(Other than simple monitoring)
Can't businesses just have a policy, that if you turn into a F5-pushing robot, you get fired, or warned + re-assigned to some grunt work that doesn't require internet access for a week, and if you get caught being a F5 monkey again, you're fired?
Technical sites such as Slashdot and Digg help IT workers do their jobs, by keeping them up-to-date in respect to matters of concern to their field, and may contain information they are looking for with Google.
There is a good business case for allowing technical access to these forums.
So I don't think it's an "abuse of power" that they may have been whitelisted.
A common IT tool to solve a technical problem is a google search, and a Technical forum often contains the answer.
When other workers in the Enterprise can make a similar case, then forums in regards to that subject should be open as well.
For example, there could be a business case that medical workers should be allowed to access professional medicine-related forums in a Hospital.
Airports could have a business case for allowing their workers to access news/airline professional-related forums.
As a guest at the airport/hotel, you may be restricted in other ways, for other security reasons.
Not taking the drug could mean a significant quality of life reduction, even if it is not a life-threatening situation.
What about infections that can cause paralysis, limb loss, extreme pain/discomfort, temporary (or permanent) loss of ability to walk, organ damage, brain damage, or other undesirable effects?
But not otherwise life-threatening, if watched carefully, and treatment applied in time if it gets too bad.
Coca-cola has a secret formula, a logo that is their property, and so on. They sell a lot of coke. They don't have to give up their logo or their formula to stop being a monopoly, which they aren't anyway, because they don't sell like 90% of the soft drinks in the world.
There's nothing wrong with being a monopoly, as long as they don't abuse their position, by taking up anti-competitive practices, but Coke is undeniably a monopoly. They may not quite sell 90% of the soft drinks in the world, but they are very close.
They have been found guilty of anti-competitive practices in the past and fined.
In fact, they have crossed the line before with monopolistic practices, and been spanked.
That tends to discredit the idea that Coke is not a monopoly.
Apple would have to release all patents free of charge to all competitors or men on the street in order to be 'not a monopoly."
No they wouldn't. You're making a straw man.
For the iPhone application platform to not be an Apple monopoly, they would just need to license their software stack, at a fair price.
Just like Microsoft would only need to license all the Windows APIs (to be used in other systems) at a fair price, then competitors' platforms could run software built using Windows' frameworks, and Windows would no longer be a monopoly.
Also, if Android phone makers were to be able to develop a framework to run iPhone Apps, then the iPhone OS would no longer be an architecture monopoly.
As-is. There is no competitive smart phone option your customers can buy to run your iPhone app, and that makes Apple a monopoly.
In fact, Apple is a monopoly for various products involved.
Don't like the terms required to use Windows '98/NT? Buy an IBM OS/2 system.
Or buy an Amiga box.
Don't like the terms required to drink a Coke Cola? buy a Pepsi Cola.
Same arguments.
Despite the argument, they still have a monopoly.
If only one company manufactured pure Orange Juice, they would still have a monopoly, even if there were THOUSANDS of other companies manufacturing juice drinks of all types, some of them orange flavored, some of them containing orange juice and pulp (but none of them pure orange juice).
It's not enough that some other companies make a similar product, to prevent Apple from having a monopoly.
Until a competitor's phones can run a like-kind OS to the iPhone, and match their functionality in a robust way (sufficient to compete directly), Apple has a monopoly.
They have sufficient control over the product to significantly determine the terms under which others have access to it.
You can't switch to a "Nokia brand iPhone" that provides equivalent functionality to Apple's iPhone, and therefore provides robust competition against the iPhone.
Instead, you can only switch to a Nokia phone that runs significantly different software, and has significantly different functionality, and therefore, is only an indirect competitor to Apple's iPhone product.
It's like saying (before AMD) that Intel isn't a monopoly, because you can always use an IBM PowerPC or ARM processor for your PC, instead.
Android, Nokia, and Windows Mobile, can't run the iPhone OS software stack.
So they aren't competitors to Apple's iPhone hardware.
Except in the view of a complete change to a completely different architecture, and a completely different user experience.
UNIX: to optimize disk usage: rm -rf /
Windows XP: rd /s /q C:\
yes
DISCLAIMER You must accept the following prior to using the above optimization. Don't try this home. The poster disclaims all warranties, regarding merchantability, fitness for any purpose, noninfringement, etc.
The above optimization must not be used in a production computing environment, or where computers provide essential services.
By considering the above optimization, you agree to indemnify and hold the poster harmless.
All computing environments are different. Utilizing this optimization may void your system warranties or support agreements already in place. The efficacy of this optimization cannot be guaranteed, and in some cases, the optimization may blow up your computer, send red-hot pieces flying in all directions, delete all your files, delete all your neighbor's files, and worse.
By proceeding you agree to be liable for all damages arising out of your use or failure to successfully use this optimization, including but not limited to damages incidental, consequential, interruption of business, or arising out of any tort, involving you or any third party. The terms of this disclaimer shall be held jointly and severable, if any part of this disclaimer should be held unenforceable, then the remainder shall remain in full force, to the extent possible by law.
3DMark is not a test of average desktop use profile.
I think it would be far more interesting to do a double-blind study, on users utilizing real-world applications, and determine speed difference for actual apps.
Or even, just use a benchmark that tests Office/Desktop apps, instead of just 3D/GPU performance.
Also, interesting would be to 'image' the system before taking it to be optimized...
Then image it again.
Do a complete comparison to determine exactly what was changed during the "optimization"
Registry settings, files, etc.
Determine if any changes were actually made, then go and investigate the merits of each change, with benchmarks taylored to highhlight any effects that change might have
On finding the length of the hypotenuse of a right triangle.
Scope of the invention:
For right triangle with length of two sides denoted by A, B, the length of the hypotenuse denoted by C:
C^2 = A^2 + B^2
and
Abs(C) = Sqrt(A^2 + B^2)
Oh yes.. and my patent on trigonometric functions.. These things I like to call "Sines", "Cosines", "Secants", "ArcSecants", "Tangents", and "ArcTangents".
And PI itself...
Stand back Eolas, i4i, NTP, Unisys, get ready for Mysidia.
Muahahahahahahahahaha!!
Can we mod the article itself -1, Flamebait then? :)
But... Ob... err... But Obam... err.. But Interpol.... I... err.. I... ....
You win.
Means they can break into people's houses to conduct illegal searches without recourse?
And kidnap Americans, to take them across the border, for interrogation, also without judicial recourse?
Doesn't it?
Congratulations Mr. President... you just made a successful end-run around the constitution's 11th, 14th, 3rd ammendment, 4th ammendment, 5th ammendment, 6th ammendment, and the rule of law.
of course you can - just start routing those blocks somewhere else
Are you prepared to have an army of lawyers protecting your tail, when HP or Xerox sues you, for announcing or allocating their address space?
They will probably get a really big document called an court order against you, and probably police after you, the moment they determine you do that intentionally.
Not to mention, they have enough clout with the Tier 1s, to get your "rogue advertisements" blocked.
They can probably do this, regardless of what any current registry says. Unless there is government action on the matter, these /8 holders cannot be forced to make those IPs usable by anyone else.
Many-to-one NAT doesn't need to record the outbound IP address, and many simple NAT devices don't, it would require more memory to record the extra information, and more complicated software.
Most NAT devices will simply forward the packet, as long as a mapping exists for the port number the packet is sent to.
A stateful firewall does record the remote IP as part of the NAT table entry. A stateful firewall also records the state of the connection, deletes the entry from the table when the connection is closed, and doesn't allow packets that don't match a proper TCP connection.
And a stateful firewall can also block outbound traffic that doesn't match a valid TCP sequence. For example, malware trying to communicate through a back channel that uses stray TCP "ACK" packets
Probably nothing in reality, individual residential customers aren't actually assigned IPs.
IP addresses are assigned to Points of Presence in cities. Justification to ARIN is based on number of residential users dialing in to the POP.
When the ISP renumbers their dialup customers to use NAT, they will lose "dialup clients" as a justification for possessing all those IP addresses...
Technically, they're supposed to renumber at that point, and return IPs to ARIN that they can no longer justify.
The agreements (RSA) they sign state they can only use the IP addresses for the purpose they used to justify their allocation. So if the justification no longer exists, they must return them, and submit a new request, for their business customers.
In any case, after "taking all the IPs away" and NAT'ing everyone, they will no longer meet the utilization criteria required to (legally) apply for more IP addresses.
It would be to their disadvantage to do this, at least, prior to exhaustion.
Not only does it nick their ability to apply for new IPs, but it may hurt their residential ISP business, if they do this alone.
Many real-world internet applications, including games, chat apps, peer to peer, etc, rely on having public IP addresses.
Users of broadband routers at home, often find they need to forward ports, or use a UpNP-enabled router, that their software supports.
Nope.
Unless you are allocated a block of /29 worth or more IP addresses, documenting the re-assignment is not required.
Also, the rules are different for accounting for residential ISP customers.
Instead of counting hosts, the number of ports, number of dial-up clients per city, and lists of URLs for websites are counted.
An underlying assumption behind that process is dial-up users are each assigned 1 IP address.
So 'allowing 5 IPs' to a DSL/dial-up user is a bit unusual
To have proper end-to-end connectivity of these hosts, public addressable IPs are an absolute requirement.
NAPT was a kludge due to the limitation of IPs, that compromises the end-to-end principal, it compromises the fundamental design principals of the internet, and hosts with RFC1918 IPs and the like are not truly internet connected.
Non publicly addressable IPs don't have proper connectivity.
If your Car, Camera, etc, don't have publicly addressable IPs, then you can't connect to them from off-net, which defeats the point of having them internet connected in the first place.
so it's not a problem to cut piece of cake from those ip ranges.
Yeah it is a problem; addresses can't be taken from them at all.
They have been allocated those ranges, and they were granted under the authority of the US DoD itself.
I don't think any of the /8 holders have said anything on the subject @ the ARIN-PPML.
But a lot of holders of one legacy /24 are extremely vocal on the subject, and claim since they were granted under authority of US DoD, by IANA at the time, without any terms, only the US DoD itself, none of the current registries can force them to obey current rules (including utilization rules) or return addresses, without violating laws.
Make no mistake, IP addresses from these allocations cannot be recovered by force.
Maybe with a 10-year legal battle. By the time the legacy holders stopped fighting, V4 would be exhausted anyways.
Of course there is - it allows all manner of insecure and misconfigured gear to avoid being probed from the other side of the planet?
It is much better to use a real stateful firewall for this, with a complete stateful firewall table, rather than rely on mickey-mouse techniques such as NAT. If the 'misconfigured' gear makes any outside connections whatsoever, NAT gear can be tricked to allow an outbound probe to it.
The key is NAT works by creating a (LOCAL):(lport) => (GLOBAL):(glport) entry, when a host on the LAN sends a packet to WAN.
For example, if the print server having IP 192.168.1.1 sends a packet sourced from port 139 to outside IP 192.0.32.10 on some port (destination port is irrelevent)
The NAT device will generate some random local port and make a NAT table entry
local-ip lport glport
192.168.1.1 139 1234
If someone on the internet happens to probe "port 1234". What will they be connected to? 192.168.1.1 port 139, of course!
This can result in a lot of unusual security implications for you. But the most significant one, is thinking you're more secure than you are... which may be okay, to an extent.
But not only can you be as secure without NAT (using a true stateful firewall), but you can be more secure than simple NAT allows you to be.
NAT won't save us, but there are a lot of expensive technologies that will probably be used when IP addresses become more expensive.
For example... web hosting providers with thousands of servers for user websites.
May start looking into some expensive load-balancing and content switch technologies that support name-based virtual hosting let them use NAT on their webservers.
It means scaling name-based vhosting up even greater than it is today.
The Server end is the hardest to NAT, though. Every server application will have to adapt to these limited needs, meaning an equivalent to the HTTP host header, for every protocol. Application proxies will be king, just about everything will be HTTP, other protocols may die-off altogether or be replaced by equivalents that run over HTTP.
End users' internet connections will probably be NAT'ed by their ISPs first... this will even be seen as a revenue generator; since every TCP/UDP connection now uses ISP resources, it will become expected and normal for ISPs to have variable billing based on number of TCP/UDP connections.
Since each IP address can only have 65,530 connections, before source:destination port pairs are used up, and NAT router memory is not free.
Getting a non-NAT'ed IP is a business-level service and requires buying the 65,530 TCP/UDP connection level of service, plus an additional "IP fee".
In reality, the ISPs may force 'buying an IP' after a specified number of connection slots, since the memory usage on their router is more expensive than just assigning a certain IP at a point (if they will actually use all the full 'connection' quota they purchased)
That's already been thought of. As an ISP, you don't get to just make up whatever rules you want to determine how many IPs you can assign, beyond a certain point, you have to apply RFC 2050, per the name resource policies:
Because it is.
In actuality, need is defined as the minimum number of IP addresses that will be required within a certain period of time in the future, according to Network Engineering plans that get submitted to ISPs (LIRs and RIRs) in order to apply for IPs; efficient utilization means utilizing 80% of the IPs to address internet hosts. IPs that will be required in the near future are needed and part of the justification.
Currently 25% immediate utilization is required after 6 months, 50% required after 1 year.
All existing IP allocations must be 80% utilized.
ARIN NRPM, 4.2.3.1. Efficient utilization ISPs are required to apply a utilization efficiency criterion in providing address space to their customers.
ARIN NRPM, 4.2.3.6 Reassignment to multihomed downstream customers: Under normal circumstances an ISP is required to determine the prefix size of their reassignment to a downstream customer according to the guidelines set forth in RFC 2050.
Specifically, a downstream customer justifies their reassignment by demonstrating they have an immediate requirement for 25% of the IP addresses being assigned, and that they have a plan to utilize 50% of their assignment within one year of its receipt.
4.2.3.3. Contiguous blocks: if a customer moves to another service provider or otherwise terminates a contract with an ISP, it is recommended that the customer return the network addresses to the ISP and renumber into the new provider's address space. The original ISP should allow sufficient time for the renumbering process to be completed before requiring the address space to be returned.
RFC 2050.
Those /8s and MANY /16s and some /24s are already allocated, they were allocated by the legacy registry under very few or no well-documented conditions. These addresses have no registry policy associated with them, they were basically granted without the recipients having to sign any agreement in many cases.
In case there was an agreement, the recipients of the legacy IP addresses (probably) either destroyed it or (conveniently) won't offer it, in any case, SELFISH BEHAVIOR is the norm.
Some of those /8 recipients themselves, and of course lots of very loud concerned single /24 recipients deem (on arin-ppml policy mailing list) ARIN to have no authority over their addresses, of course this is a self-serving position, and also results in them not having to pay any fees like everyone else (who received allocations since the late 90s) does.
But another potential consequence is, ARIN can't try to force them to renumber or take addresses back, and then re-assign them, without a 10-years protracted legal battle, with some of the largest, most influential corporations on earth, most likely.
The resulting internet instability would not be worth it the small delay in exhaustion, probably.
So in a word... the only way to get any IP addresses back is voluntary altruistic action from those companies, returning IP addresses back to the registries, that probably they could otherwise profit from.
Now tell me this... do you think Hewlett-Packard Company, Xerox, Ford, Apple, Level 3, GE, IBM, Halliburton Company, E.I. duPont , Bell-Northern , Interop, Bell-Northern, Prudential, and USPS...
Will go through the (potentially large) expense of renumbering their networks to consolidate, free up as much of their /8 as possible, and return it to IANA, as an altruistic action?
Despite the fact, that an IPv4 shortage could turn the resource they are sitting on into a very valuable asset, they could rent out piecemeal to ISPs all over the world, or to "IP Address" brokers....?
Despite the fact their Legacy IPs have special privileges that no modern-day IP address allocations have. For example, they can allocate however they want, without having to justify to anyone, they don't have to require justification from anyone and can allocate on whatever is the most profitable to them, plus they don't have to pay any fees, ever...
Whereas, if the internet ever switches to IPv6, they will lose all their legacy rights. And have to sign this gargantuan registry services agreement and pay huge annual allocation fees for their IPv6 space, just like everyone else...
Yeah, ARIN currently _waives_ fees for IPv6, by 'charging the lesser' of V4 and V6, but they can see beyond that, it won't last forever -- and the legacy registrants who currently have free IPs will start having to pay for V6, if V6 ever catches on.
It's in their best interest to keep V4 around, but not by voluntarily returning addresses, but by profiting from them, and massively increasing the fragmentation of the global routing tables in the DFZ.
the ISPs can then claw back IPs from less lucrative customers and give them to more lucrative ones.
There's a term for that, it's called: Fraud. And I hope ARIN counts on that it will happen. I'm sure policies are already being considered as we speak, to provide for auditing of ISPs to validate compliance with the Registry Services agreements the ISPs signed.
It's a violation of the ARIN agreement ISPs have to sign, to give a customer more IP addresses than they have justified need for, just because you want to get a bigger PA allocation.
Allocations are provided to ISPs for re-assigning. Once re-assigned, the IPs belong to the end user, for use with services provided by the ISP.
The netblock belongs to the end user, as long as they keep services with the ISP, ARIN does not require them to return the addresses.
If the ISP retained the right to take back the IPs, then they violated the RSA by not properly recording the reassignment of the addresses, eg they never actually assigned them...
What about the non-IT employees who don't frequent Anime sites during business hours, saturate the T1 (or DS3), install "codecs" that are actually Zlob/Vundo, lie to the boss, use juno webmail during business hours, or access tentacle porn?
So why should Slashdot be free and open, while (say), blogs.msdn.com gets blocked?
You suggest as if all "regular employees" are inherently like the worst most abusive, security risk employees you ever knew..
People can get tricked by malware popups, even when visiting normal sites by the way. Major web sites have at times frequently fallen prey to ad networks popping up malicious code, sites that probably wouldn't be blocked (like CNN.COM, Yahoo.com, cnet.com, ..).
Even IT workers might fall prey to drive-by-downloaders that utilize exploits, unless running NoScript. Oh wait... corporate policy probably doesn't allow mere mortals to install software and therefore use anything except Internet Explorer, Adobe Reader + Flash is mandated, only IT folks can bypass the rule (w/ local Admin access), run FF, use Sumatra/Foxit for PDF reading, and use Flashblock to protect against flash exploits, Oops...
Not everyone is that way... a lot of people use their computers like professionals for 90% business-related functions, and a lot of people are clueful about technology, even those who aren't in IT.
X86 assembly programmers, or people who work on Windows drivers and low-level programming teams in a software/hardware company, would probably contain some of the technically clueful folks who aren't in IT.
In fact, some may be more clueful than IT about certain things. The average IT department understandably overestimates their competence due to the Dunning–Kruger effect..
And the enterprise should not care at all if they take a 20 minute break to look up something on Wikipedia or visit some Bambi forum.
Yeah... people do deserve these things called breaks sometimes, you know.. especially programmers who spend 14+ hours a day in front of a computer monitor working on the software design with their team, and probably putting a lot more brain power into it than the 40 hrs they get paid for.
Every now and then, finding a distraction to rest their mind for a few minutes, can make them more productive at the primary task.
So physically limiting their surfing behavior is more than some unimportant technology situation, it may actually reduce their morale, and therefore their productivity.
The situation is much more complicated in many cases, than it immediately appears.
It's not obvious that limiting the surfing behavior is a net positive.
Now, if they were putting out shoddy work or no work product at all, and spending 50% of their time at work surfing, yeah, that'd be them abusing their internet access.
Exactly... It's hard to quantify the damage done by a-priori blocking.
They should instead have a person whose job is to review once a month, just the domain names of sites being accessed frequently.
And submit a list of anomolies like 'poke mon' forums to be blocked.
Otherwise, the assumption should be the sites are accessed for a business reason, until proven otherwise.
Why do we need technical measures? (Other than simple monitoring)
Can't businesses just have a policy, that if you turn into a F5-pushing robot, you get fired, or warned + re-assigned to some grunt work that doesn't require internet access for a week, and if you get caught being a F5 monkey again, you're fired?
Technical sites such as Slashdot and Digg help IT workers do their jobs, by keeping them up-to-date in respect to matters of concern to their field, and may contain information they are looking for with Google.
There is a good business case for allowing technical access to these forums. So I don't think it's an "abuse of power" that they may have been whitelisted.
A common IT tool to solve a technical problem is a google search, and a Technical forum often contains the answer.
When other workers in the Enterprise can make a similar case, then forums in regards to that subject should be open as well.
For example, there could be a business case that medical workers should be allowed to access professional medicine-related forums in a Hospital.
Airports could have a business case for allowing their workers to access news/airline professional-related forums.
As a guest at the airport/hotel, you may be restricted in other ways, for other security reasons.
Not taking the drug could mean a significant quality of life reduction, even if it is not a life-threatening situation.
What about infections that can cause paralysis, limb loss, extreme pain/discomfort, temporary (or permanent) loss of ability to walk, organ damage, brain damage, or other undesirable effects?
But not otherwise life-threatening, if watched carefully, and treatment applied in time if it gets too bad.
Coca-cola has a secret formula, a logo that is their property, and so on. They sell a lot of coke. They don't have to give up their logo or their formula to stop being a monopoly, which they aren't anyway, because they don't sell like 90% of the soft drinks in the world.
There's nothing wrong with being a monopoly, as long as they don't abuse their position, by taking up anti-competitive practices, but Coke is undeniably a monopoly. They may not quite sell 90% of the soft drinks in the world, but they are very close. They have been found guilty of anti-competitive practices in the past and fined.
In fact, they have crossed the line before with monopolistic practices, and been spanked. That tends to discredit the idea that Coke is not a monopoly.
Apple would have to release all patents free of charge to all competitors or men on the street in order to be 'not a monopoly."
No they wouldn't. You're making a straw man.
For the iPhone application platform to not be an Apple monopoly, they would just need to license their software stack, at a fair price.
Just like Microsoft would only need to license all the Windows APIs (to be used in other systems) at a fair price, then competitors' platforms could run software built using Windows' frameworks, and Windows would no longer be a monopoly.
Also, if Android phone makers were to be able to develop a framework to run iPhone Apps, then the iPhone OS would no longer be an architecture monopoly.
As-is. There is no competitive smart phone option your customers can buy to run your iPhone app, and that makes Apple a monopoly.
In fact, Apple is a monopoly for various products involved.
Don't like the terms required to use Windows '98/NT? Buy an IBM OS/2 system. Or buy an Amiga box.
Don't like the terms required to drink a Coke Cola? buy a Pepsi Cola.
Same arguments.
Despite the argument, they still have a monopoly.
If only one company manufactured pure Orange Juice, they would still have a monopoly, even if there were THOUSANDS of other companies manufacturing juice drinks of all types, some of them orange flavored, some of them containing orange juice and pulp (but none of them pure orange juice).
It's not enough that some other companies make a similar product, to prevent Apple from having a monopoly.
Until a competitor's phones can run a like-kind OS to the iPhone, and match their functionality in a robust way (sufficient to compete directly), Apple has a monopoly. They have sufficient control over the product to significantly determine the terms under which others have access to it.
You can't switch to a "Nokia brand iPhone" that provides equivalent functionality to Apple's iPhone, and therefore provides robust competition against the iPhone.
Instead, you can only switch to a Nokia phone that runs significantly different software, and has significantly different functionality, and therefore, is only an indirect competitor to Apple's iPhone product.
It's like saying (before AMD) that Intel isn't a monopoly, because you can always use an IBM PowerPC or ARM processor for your PC, instead.
Android, Nokia, and Windows Mobile, can't run the iPhone OS software stack.
So they aren't competitors to Apple's iPhone hardware.
Except in the view of a complete change to a completely different architecture, and a completely different user experience.
I'm not disagreeing with you about shooting implementors, necessarily.
But I actually tried using the time functions on 64-bit Linux, Redhat Enterprise Linux 5.4 64-bit.
Some 64-bit values seemed to work, others did not. ex:
# perl -e 'printf "[%d]\n", int(1099511627776)'
[1099511627776]
# perl -e 'use POSIX "ctime"; printf "[%s]\n", ctime(int(1099511627776))'
[]
# perl -e 'use POSIX "ctime"; printf "[%s]\n", ctime(int(2147483648))'
[Mon Jan 18 21:14:08 2038
]