To me, another sign that we've outgrown what the TCP/IP abstraction provides.
To me, it's just another sign we need to carve out a block of IPv6 for private IPs.
What's your proposed replacement "abstraction"? You haven't identified a fundamental problem with networking.
When people say "we've outgrown $FUNDAMENTAL_ABSTRACTION", what they mean is "I'm having problems, and I think if I start over, they'll all just go away." The world doesn't work like that.
All of that is true, but you are gonna have to do a hell of a marketing job to convince most people. NAT just feels right on an emotional "human" level. Firewalls dont.
That's too bad.
As much as it pains me to say it, I think we'll see an IPv7 or somesuch that provides strict backwards-compatibility with IPv4 while expending the address space.
solves problems felt by internet users
PKI is what you're looking for. A change in internet protocol won't help one damn bit with the problems you mention. A combination of opportunistic encryption and DNSSEC, on the other hand, will go a long way toward making the world a better place.
Was there a man dismay'd? Not tho' the soldier knew Someone had blunder'd: Their's not to make reply, Their's not to reason why, Their's but to do and die:
Sysadmins, on the other hand, are paid to "reason why", and to think. Tennyson's poem is about a heroic devotion to duty. Opposing IPv6 is a postmodern exercise in shortsighted idiocy.
So you're saying that a IPv4 home NAT router will fail safe, and an IPv6 home firewall will fail open? I don't see any reason IPv6 equipment can't be made to fail safe.
Besides, there are plenty of ways your home network can be compromised. If a machine is turned into a zombie, an attacker can use that machine to browse your local network. A private IP space alone is a shower curtain, not a bank safe.
Have you even heard of the OSI model? Why in god's name would you want to have a Layer 3/4 P2P protocol? That's what TCP and IPv4/IPv6 are for.
I've noticed that most technical people pass through a phase where they want to do everything themselves, where writing to the bare metal is cool. We've all had that urge at one time or another. It takes a certain amount of humility and world-weariness to realize that there's plenty of good work that's already been done.
You're begging the question. I've been waiting for a chance to use that phrase properly.
You assume that IPs need to be preserved, so you do good by only using one. Then you claim that moving to a more public internet is pointless because you don't need many IPs anyway. Because you've preserved them. Because they're scarce.
If people like you ran the world, we'd still be afraid of using fire to cook meat, or of sowing grain to produce wheat. Fortunately, the world is usually run by people who apply reason.
The OP is right. Packet filtering has nothing to do with NAT, and it's only your paranoia (or trollishness) that's preventing you from seeing that.
You can natively compare two v4 addresses by using a == b (which will translate into a single assembly instruction). You cannot do that on a 129 bit data item. Your choices are - memcmp, or defined operation (compare first 4 bytes, then next 4 bytes, then next, then next:) ). This is inefficient, prone to error and makes code less maintainable.
Come on. If you do development for a living, you've heard of abstraction. If you're open-coding memcmp, you're doing something wrong. Just hide the comparison behind a nice typesafe inline function and you're actually in better shape than if you'd stuffed an ipv4 address into a long int.
You don't buy certificates from these agencies. You buy them from CAs.
What these agencies would also do is attempt to buy certificates from these CAs as well, except they'd try to obtain certificates they weren't supposed to. When they did, they'd update their CRLs and shame the companies with lax verification.
You misunderstand me. The TSA is a different beast, with real power. The organizations I'm talking about have purely an advisory role. They would be able to do nothing a private citizen couldn't. They'd could nonprofits. I only imagine them being organs of government because these organizations couldn't (legitimately) turn a profit.
It'd be up to browsers to consult them.
Of course, you can do the same thing with browser updates, albeit with a much larger latency.
You misunderstand my proposal. The FBI and CIA abused special investigatory powers. On the other hand, these bodies I'm proposing only need the power any private citizen would have. They're only likely to be government organizations because there's no profit in them.
And the whole reason for having multiple organizations here is to avoid any one of them being made into a DoS-a-matic.
Each organization only has the "power" to state "this certificate is invalid" or "this CA's certificates are invalid." It's up to each browser to choose how to apply that knowledge.
As I've said before, the total volume of nuclear waste is minuscule; any long-lived waste is not very radioactive because of the way half-life works; we have no reason to believe Yucca Mountain is special; you conveniently ignore all the other toxic waste we're generating; etc.
Your post displays the kind of ignorance that I loathe. It's not based on anything but hypotheticals and fear. Our best bet is to go for a mix on wind, hydroelectric, and nuclear, and nuclear is going to have to be a much larger portion of the mix than the 10% you pulled out of your hat: the first two options are geographically limited.
Only one company can build the cores? Well, that means that I, enterprising industrialist, can build a new plant and make a killing. This is the kind of situation capitalism is perfect for.
It's a desert. Sure, there's some life there, but there really aren't all that many people. The purpose of environmentalism is to ensure a better future for us and our offspring, not to objectively help cacti and hares. If you want to do something with a desert, you need to exploit its resources, build a city on it, or irrigate it. Only the first doesn't require all that much water, and if you haven't noticed, we're a little short on water these days.
Destroying desert so we can better preserve fertile coastal plains is a wise move, and helps humanity. On the other hand, burning that oil from under the desert (what's left of it, anyway) will hurt humanity.
Somebody, preferably a government agency, should be in charge of testing CAs. CAs have very strong economic incentives to loosen verification rules in order to compete and sell more certificates. When one CA loosens its rules a little bit, all the others are compelled to do the same to stay competitive. It's a race to the bottom.
Market forces cannot solve the problem because there's a fundamental information asymmetry. Joe Myspace isn't going to understand what a root CA is, much less manually remove it from his browser. And even if he did understand what that meant, would he lose access to his favorite SSL-protected sites for some egghead's paranoid security fears?
We need regulation, and we need it now. We need several free, worldwide certificate revocation lists, and we need agencies running these lists to randomly and anonymous ensure CAs are following the verification rules.
Having just one CRL gives too much power to one authority, which is especially dangerous if these authorities are organs of government. Browsers should check all CRLs and consider a certificate invalid if, say, two-thirds of the CRLs say to do so.
It's not society's job to maintain your broken personal business model. Find a company and stick with it instead of building them up and flipping them.
Would you also drive past a terrible car accident on a lonely road without even calling 911? After all, you didn't crash your car. Why should you help the people who did?
Given that you are posting on Slashdot, you're probably rather technically oriented and rather secure financially. Consider those less fortunate than yourself: people who grew up without an education, or without ever having seen a computer. Consider the people who work at Tim Hortons sixteen hours a day, go home, watch some hockey and sleep.
Sure, you might argue that they're not contributing to society. But would you not be in the same position if not for some accident of fate? Do these people deserve to live any less than you do? Don't they deserve to experience life just as much as you do? It's not as if they can't afford medical care through any fault of their own. (And even if they have made mistakes: well, who here hasn't a made a mistake that might have ruined his life?)
What you're advocating is Social Darwinism. That's a consistent, but empty strategy that ignores all human feeling and empathy. Sure, it makes sense, but it ignores what makes us human in the first place.
As a commodity becomes increasingly scare, you'd expect to see increasingly complicated systems used to effectively distribute the last of it. The increase in speculation is an effect, not a cause, of our current oil crisis.
Carbon sequestration is both expensive and unproven. Nuclear power would be dirt cheap if it weren't for insane regulations, and it's been used for almost 50 years.
Slashdot Mirror
To me, it's just another sign we need to carve out a block of IPv6 for private IPs.
What's your proposed replacement "abstraction"? You haven't identified a fundamental problem with networking.
When people say "we've outgrown $FUNDAMENTAL_ABSTRACTION", what they mean is "I'm having problems, and I think if I start over, they'll all just go away." The world doesn't work like that.
That's too bad.
As much as it pains me to say it, I think we'll see an IPv7 or somesuch that provides strict backwards-compatibility with IPv4 while expending the address space.
PKI is what you're looking for. A change in internet protocol won't help one damn bit with the problems you mention. A combination of opportunistic encryption and DNSSEC, on the other hand, will go a long way toward making the world a better place.
Tennyson's cavalry men knew they would be facing certain death:
Was there a man dismay'd?
Not tho' the soldier knew
Someone had blunder'd:
Their's not to make reply,
Their's not to reason why,
Their's but to do and die:
Sysadmins, on the other hand, are paid to "reason why", and to think. Tennyson's poem is about a heroic devotion to duty. Opposing IPv6 is a postmodern exercise in shortsighted idiocy.
You're right. That's a serious problem. But why can't be get prefixes we can carry around between providers?
So you're saying that a IPv4 home NAT router will fail safe, and an IPv6 home firewall will fail open? I don't see any reason IPv6 equipment can't be made to fail safe.
Besides, there are plenty of ways your home network can be compromised. If a machine is turned into a zombie, an attacker can use that machine to browse your local network. A private IP space alone is a shower curtain, not a bank safe.
I've noticed that most technical people pass through a phase where they want to do everything themselves, where writing to the bare metal is cool. We've all had that urge at one time or another. It takes a certain amount of humility and world-weariness to realize that there's plenty of good work that's already been done.
You're begging the question. I've been waiting for a chance to use that phrase properly.
You assume that IPs need to be preserved, so you do good by only using one. Then you claim that moving to a more public internet is pointless because you don't need many IPs anyway. Because you've preserved them. Because they're scarce.
If people like you ran the world, we'd still be afraid of using fire to cook meat, or of sowing grain to produce wheat. Fortunately, the world is usually run by people who apply reason.
The OP is right. Packet filtering has nothing to do with NAT, and it's only your paranoia (or trollishness) that's preventing you from seeing that.
Come on. If you do development for a living, you've heard of abstraction. If you're open-coding memcmp, you're doing something wrong. Just hide the comparison behind a nice typesafe inline function and you're actually in better shape than if you'd stuffed an ipv4 address into a long int.
You don't buy certificates from these agencies. You buy them from CAs.
What these agencies would also do is attempt to buy certificates from these CAs as well, except they'd try to obtain certificates they weren't supposed to. When they did, they'd update their CRLs and shame the companies with lax verification.
You misunderstand me. The TSA is a different beast, with real power. The organizations I'm talking about have purely an advisory role. They would be able to do nothing a private citizen couldn't. They'd could nonprofits. I only imagine them being organs of government because these organizations couldn't (legitimately) turn a profit.
It'd be up to browsers to consult them.
Of course, you can do the same thing with browser updates, albeit with a much larger latency.
You misunderstand my proposal. The FBI and CIA abused special investigatory powers. On the other hand, these bodies I'm proposing only need the power any private citizen would have. They're only likely to be government organizations because there's no profit in them.
And the whole reason for having multiple organizations here is to avoid any one of them being made into a DoS-a-matic.
Each organization only has the "power" to state "this certificate is invalid" or "this CA's certificates are invalid." It's up to each browser to choose how to apply that knowledge.
As I've said before, the total volume of nuclear waste is minuscule; any long-lived waste is not very radioactive because of the way half-life works; we have no reason to believe Yucca Mountain is special; you conveniently ignore all the other toxic waste we're generating; etc.
Your post displays the kind of ignorance that I loathe. It's not based on anything but hypotheticals and fear. Our best bet is to go for a mix on wind, hydroelectric, and nuclear, and nuclear is going to have to be a much larger portion of the mix than the 10% you pulled out of your hat: the first two options are geographically limited.
Only one company can build the cores? Well, that means that I, enterprising industrialist, can build a new plant and make a killing. This is the kind of situation capitalism is perfect for.
It's a desert. Sure, there's some life there, but there really aren't all that many people. The purpose of environmentalism is to ensure a better future for us and our offspring, not to objectively help cacti and hares. If you want to do something with a desert, you need to exploit its resources, build a city on it, or irrigate it. Only the first doesn't require all that much water, and if you haven't noticed, we're a little short on water these days.
Destroying desert so we can better preserve fertile coastal plains is a wise move, and helps humanity. On the other hand, burning that oil from under the desert (what's left of it, anyway) will hurt humanity.
Somebody, preferably a government agency, should be in charge of testing CAs. CAs have very strong economic incentives to loosen verification rules in order to compete and sell more certificates. When one CA loosens its rules a little bit, all the others are compelled to do the same to stay competitive. It's a race to the bottom.
Market forces cannot solve the problem because there's a fundamental information asymmetry. Joe Myspace isn't going to understand what a root CA is, much less manually remove it from his browser. And even if he did understand what that meant, would he lose access to his favorite SSL-protected sites for some egghead's paranoid security fears?
We need regulation, and we need it now. We need several free, worldwide certificate revocation lists, and we need agencies running these lists to randomly and anonymous ensure CAs are following the verification rules.
Having just one CRL gives too much power to one authority, which is especially dangerous if these authorities are organs of government. Browsers should check all CRLs and consider a certificate invalid if, say, two-thirds of the CRLs say to do so.
In any case, the current situation is untenable.
I live in Buffalo, NY, just over the Canadian border. I suppose that explains a lot. :-)
It's not society's job to maintain your broken personal business model. Find a company and stick with it instead of building them up and flipping them.
Would you also drive past a terrible car accident on a lonely road without even calling 911? After all, you didn't crash your car. Why should you help the people who did?
Given that you are posting on Slashdot, you're probably rather technically oriented and rather secure financially. Consider those less fortunate than yourself: people who grew up without an education, or without ever having seen a computer. Consider the people who work at Tim Hortons sixteen hours a day, go home, watch some hockey and sleep.
Sure, you might argue that they're not contributing to society. But would you not be in the same position if not for some accident of fate? Do these people deserve to live any less than you do? Don't they deserve to experience life just as much as you do? It's not as if they can't afford medical care through any fault of their own. (And even if they have made mistakes: well, who here hasn't a made a mistake that might have ruined his life?)
What you're advocating is Social Darwinism. That's a consistent, but empty strategy that ignores all human feeling and empathy. Sure, it makes sense, but it ignores what makes us human in the first place.
As a commodity becomes increasingly scare, you'd expect to see increasingly complicated systems used to effectively distribute the last of it. The increase in speculation is an effect, not a cause, of our current oil crisis.
Fish have these things too. What's your point?
Carbon sequestration is both expensive and unproven. Nuclear power would be dirt cheap if it weren't for insane regulations, and it's been used for almost 50 years.
It remains feasible. Even without breeder reactors, however, nuclear power is a viable solution to our energy problems.
As the Greeks noticed, what makes a poison is the dose.