"Multiple people even within a household wanting to use the same thing on their pc is really so rare to you?"
Outside of bittorrent, yes.
It is pointless because it is designed for poking holes through NAT. And even a blocks all incoming firewall is better than nat because at least you can fix it if you know what you want.
UPnP is not just designed to poke holes in a NAT, it is designed for automated admin of routers.
Defeats the point of being able to communicate.
No it doesn't. My mother can browse the web and use skype now. That's as much communication as she needs or wants. She sure as hell doesn't need her machine, which may or may not be compromised, up to date on security patches or whatever, having the ability to offer server capabilities to the entire internet.
It is better to allow people to communicate and run the risk of running stupid software that can allow their machine to get owned (which they already tend to do by trojans off the net anyway) than to block off the main purpose of the internet, communication.
Those who do not have the capacity to understand how to configure a network should be walled off. It is FAR better that they not be able to run a SIP program in a serverless way, than 90% of the world's machines get owned in a single day because a windows vulnerability was found.
Would be far better to secure the individual nodes and allow free communication except where the person knows enough that they don't need a specific type etc.
Oh sure, how about you come back to me when you've trained the entire world population on responsible network admin, computer security and frequent log scans.
It would be far better if we all had cars that ran on farts and gave out nothing but pure, clean drinking water as exhaust too.
In summary - you're crazy. NAT (not because of address translation, but it's firewall side-effect) is the only thing keeping botnets as small as they are right now, and keeping black hats out of a hell of a lot of computers.
"ohh, you need network? then connect and protect the damn thing..."
I don't disagree with the rest of your post, but that attitude is not helpful for the billions of non-tech savvy folks out there, who want something to work without them having to screw around with strange magic numbers and router configuration.
Why is NAT useless if you want non-routable addresses able to get client access to the net?
"That said port forwarding is stupid, if the network admin is opening ports it would be on the firewall, not port forwarding.
I don't really see the difference except in the situation where multiple machines on the network wish to run the same service on the same port. Otherwise, from my perspective as a user, it's identical.
Port forwarding to get around the braindeath that is NAT is pointless, and so is this option.[UPnP]
Right, so manual port opening is out because it's bad for home users, and so is auto port opening using UPnP because it's pointless... ? I wouldn't call it pointless, just insecure in that it allows and compromised machine inside the network to bypass security.
"Of course having a proper admins is ideal, but failing that, leaving it open really isn't so bad compared to breaking the internet for anyone who doesn't merely want to be a consumer (and even some consumer uses)"
Leaving it open and machines, televisions, mobile phones, consoles, NAS boxes and a million and one other things that are marketed to consumers, open on the public internet by default, is a horrible, horrible option. Having NAT (or a default deny-all firewall) is extremely useful to protect the average consumer from direct hacking attacks via OS and device vulnerabilities (which will continue to exist) or malware that runs a server program on their home computer.
Leaving it open is the worst possible case.
Hell, my new laptop has a remote admin mode that runs below the OS that I only found out was present and on by default by poking around the BIOS. Even with that disabled I now can't trust it to be on the net without an intermediary.
And N00bs already have functioning software and do only care about consuming, you're talking about putting people with no training (and no idea where they are) on the front lines of a war.
The only sensible option I can see is to keep them in the present situation, walled off. Preferably un-routable, but certainly behind outgoing-only firewalls. The likes of us who want to run server software already can, and anyone who wants to write services for the masses will continue having to run a server to co-ordinate and forward traffic.
Is this not obvious? As far as I can see your argument comes down to "let them take the risk, my stuff will work better"
Just out of interest, how is having a default-deny inbound firewall (with no exceptions configured) different from a NAT situation for SIP?
Opening listening ports on machines on folks' home networks is still going to be problematic. You have a few options -
1. People open ports manually (bad, relies on end users to input a bunch of numbers) 2. Software opens ports automatically via UPnP (security risk) 3. Routers pre-configured to let through some common ports (security risk) 4. Routers ship 'open' (security risk)
"Securing your shit isn't what NAT is for, its just a side effect of breaking end to end connectivity that can far more effectively done by a simple 2 line firewall."
Except that the firewall breaks it just as badly, you still don't get two clients talking directly to each other because for most normal human beings the router is a black box not to be messed with, so they'll still have everything denied. And if you try to open ports for them you have a security risk, and if you have UPnP you have another security risk.
IPv6 and the removal of NAT does absolutely nothing for these users, with the potential to actually make things a lot worse.
"Luckily uPNP works with these games as I can't forward the same port to several computers, so each computer has to negotiate a new uPNP port to forward in order to get connections"
NAT is full of fail
NAT is full of fail, but you allow software on potentially compromised machines (you run windows, right?) to decide what ports to open on your router?
So people that want to play in the same room as each other have some growing up to do?
Nice logic there sparky.
How's about this one to turn it around - People that play online games largely seem to suffer from a social disorder that results in them shutting themselves away in a darkened room for hours on end, playing games against complete strangers. Some people with a more society-normal social instinct still enjoy games but prefer to do so in company.
Then I hope routers will come with this stuff enabled by default.
And I hope that if ISPs make any changes that require home users to do anything, anything at all, that they have a lot of budget and helpdesk staff for existing customers and their diverse array of IPv4 hardware.
TBH (other than address space filling up) NAT wasn't imposed anyway. In the UK there were a variety of enthusiast ISPs that were happy to give out multiple public IP addresses if you wanted them.
Split-screen co-op is a sociable way to spend an evening with a mate or two (drop in a few beers too, of course).
I was most upset when it wasn't included in Resistance 2, after Resistance 1 had it. Turned it from an awesome shared experience to taking turns and one of you being a bit bored.
"So your mother likes it when random programs cannot connect to the network and do their job properly? (such as voip etc) something tells me she'll just shift the blame to the program instead of the broken use of nat."
Programs?
My mother has just about worked out how to start "the google", by which she means Firefox. I am perfectly comfortable with her having one-way internet.
Unless you want to argue that people being able to click 'host game' and having their friends connect to it is not something a normal person would like to do among other things, people DO need two way communication.
Hate to point it out, but the fashion has been to remove LAN capabilities from games recently....
There are different grades of net user with different requirements, for some with no clue (make that a lot with no clue) having NAT is a godsend. A properly configured firewall could be just as well, but I bet we're going to see a lot of badly configured (or just hackable) IPv6 routers over the next few years that just let people address all the sweet, unprotected devices beyond.
Not to mention that an IPv6 router without NAT is still going to require manual opening of ports, unless you're also in favour of the massive security risk that is UPnP for router control.
Having a private internal address doesn't fix those less-secure devices -- it's the device at the gateway to your home that permits or denies access.
True, but having them not even publicly routable gives me a better feeling about this than 'relying' on a firewall device. That's probably more of an emotional than factual response though.
It seems like the difference between a passive and active nuclear reactor damping system. An active one requires power and everything to be operational to intervene, a passive one requires power and operational status to stop the damping.
Nat essentially makes the internet one-way and to get around it involves serious hacks.
Which is PERFECT for people like my mother.
Suuure, because being against seriously breaking networks is a religion...
Not everyone considers it broken.
router does this job, most modern ones already do. get a domain for your network and allocate subdomains from your router.
LOL.
Get a domain! We're not talking about my network here, I'm tech savvy enough to set up whatever I want to. That said it's not like most folk would know an IP address if it bit them on the arse so fair enough, those of us that need to do stuff probably can.
I'd dispute that 'most' modern routers have this function though, and of the ones that have had it it's worked for about 50% of attached devices.
Not having machines publicly addressable is most definitely a security advantage.
I hear this all the time, that it's insecure, but I have yet to hear an actual good reason, do you have one?
Because NAT is perfect for plug-n-play devices with questionable per-device security. Why on earth should consoles and internet-aware appliances at my folks house need a public address? They don't know much about security and getting rid of in-home NAT just exposes them to far more risk.
NAT == BAD seems to be a religious expression more than anything actually practical.
As for DNS... are we going to have a DNS server in every home now too? Every device is going to agree on the same WINS-style home-DNS registry protocol?
"For one, AES is designed to have fixed key sizes, so "just switching to 512 bits" is not as trivial as you may think."
Err, no. AES was based on a simplification of Rijndael, which was designed for arbitrary key lengths. It should be fairly easy to adapt the AES algorithm to longer keys.
"And none of the hackers have actually hacked anything with regards to the PS3."
INCORRECT
The jailbreak is a bona-fide hack. It uses the USB ID of the Sony jig, but it then busts the USB driver stack and overwrites some kernel memory. This is a real exploit and not just a service mode device.
Most of the devices can now emulate a service-mode jig as well, but that only gets you the ability to downgrade software. The original hack is just that, a hack.
And the work on the PS3 is progressing, though slowly. A FOSS SDK is in the works and can now do some stuff, linux is there (though the main guy doing that seems to have disappeared) folks are working on customising the firmware to enable extra/debug features, just in the last few days another user has started figuring out a perma-break (i.e. dongle free) solution...
The 'scene' is young but there are people doing stuff, it's just that (unfortunately) Sony did quite a good job with things like firmware signing.
4. It was never true. Linux is now as easy as windows to get things done with, easier for a lot of people. Not to mention that back in the days when it was damned hard work to get it working properly you were still learning about system internals and increasing your knowledge, therefore your skill set and marketability. Not to mention that my (huge, multinational) employer seems to think linux is fine for the desktop and the server room. And they have to pay for their employees' time.
The value added is that people will buy more FOSS friendly hardware if they wish to use debian, and that developers will turn their attention to any major gaps in support.
I've been running squeeze on multiple different architectures for months and haven't found anything it doesn't support yet.
Stallman would say that we still need the code to have the freedom to customise it and redistribute our changes.
Yes, RMS is a zealot, and no, I don't agree with all of his politics, but he makes some good points. This is one of them.
I'm willing to compromise for a working system, but if I don't have to (by buying hardware that uses completely open firmware) then that's even better.
You're laughing because you have to apply and pay for a protest permit in the land of the free, but in much of the rest of the western world one simply informs the police what's going on and works with them out of courtesy?
And the US comes out of this looking great how?/confused, maybe I just don't get your sense of humour
Oh sure, but the fact is that enough people are interested in Linux and in netflix that there's a pretty good chance you'd find netflix backends for various FOSS media players in pretty short order.
And there was no 'whoosh' needed there. I just wanted to make the point that *you* may have an opinion on what constitutes open source, but it doesn't necessarily agree with everyone else's. It's not just linux, but neither is it some magical collaborative development model. It's just what it says - open source.
Slashdot Mirror
Outside of bittorrent, yes.
UPnP is not just designed to poke holes in a NAT, it is designed for automated admin of routers.
No it doesn't. My mother can browse the web and use skype now. That's as much communication as she needs or wants. She sure as hell doesn't need her machine, which may or may not be compromised, up to date on security patches or whatever, having the ability to offer server capabilities to the entire internet.
Those who do not have the capacity to understand how to configure a network should be walled off. It is FAR better that they not be able to run a SIP program in a serverless way, than 90% of the world's machines get owned in a single day because a windows vulnerability was found.
Oh sure, how about you come back to me when you've trained the entire world population on responsible network admin, computer security and frequent log scans.
It would be far better if we all had cars that ran on farts and gave out nothing but pure, clean drinking water as exhaust too.
In summary - you're crazy. NAT (not because of address translation, but it's firewall side-effect) is the only thing keeping botnets as small as they are right now, and keeping black hats out of a hell of a lot of computers.
I don't think you have any idea of security.
"ohh, you need network? then connect and protect the damn thing..."
I don't disagree with the rest of your post, but that attitude is not helpful for the billions of non-tech savvy folks out there, who want something to work without them having to screw around with strange magic numbers and router configuration.
Why is NAT useless if you want non-routable addresses able to get client access to the net?
I don't really see the difference except in the situation where multiple machines on the network wish to run the same service on the same port. Otherwise, from my perspective as a user, it's identical.
Right, so manual port opening is out because it's bad for home users, and so is auto port opening using UPnP because it's pointless... ?
I wouldn't call it pointless, just insecure in that it allows and compromised machine inside the network to bypass security.
Leaving it open and machines, televisions, mobile phones, consoles, NAS boxes and a million and one other things that are marketed to consumers, open on the public internet by default, is a horrible, horrible option. Having NAT (or a default deny-all firewall) is extremely useful to protect the average consumer from direct hacking attacks via OS and device vulnerabilities (which will continue to exist) or malware that runs a server program on their home computer.
Leaving it open is the worst possible case.
Hell, my new laptop has a remote admin mode that runs below the OS that I only found out was present and on by default by poking around the BIOS. Even with that disabled I now can't trust it to be on the net without an intermediary.
And N00bs already have functioning software and do only care about consuming, you're talking about putting people with no training (and no idea where they are) on the front lines of a war.
The only sensible option I can see is to keep them in the present situation, walled off. Preferably un-routable, but certainly behind outgoing-only firewalls. The likes of us who want to run server software already can, and anyone who wants to write services for the masses will continue having to run a server to co-ordinate and forward traffic.
Is this not obvious? As far as I can see your argument comes down to "let them take the risk, my stuff will work better"
Just out of interest, how is having a default-deny inbound firewall (with no exceptions configured) different from a NAT situation for SIP?
Opening listening ports on machines on folks' home networks is still going to be problematic. You have a few options -
1. People open ports manually (bad, relies on end users to input a bunch of numbers)
2. Software opens ports automatically via UPnP (security risk)
3. Routers pre-configured to let through some common ports (security risk)
4. Routers ship 'open' (security risk)
"Securing your shit isn't what NAT is for, its just a side effect of breaking end to end connectivity that can far more effectively done by a simple 2 line firewall."
Except that the firewall breaks it just as badly, you still don't get two clients talking directly to each other because for most normal human beings the router is a black box not to be messed with, so they'll still have everything denied. And if you try to open ports for them you have a security risk, and if you have UPnP you have another security risk.
IPv6 and the removal of NAT does absolutely nothing for these users, with the potential to actually make things a lot worse.
"Luckily uPNP works with these games as I can't forward the same port to several computers, so each computer has to negotiate a new uPNP port to forward in order to get connections"
NAT is full of fail
NAT is full of fail, but you allow software on potentially compromised machines (you run windows, right?) to decide what ports to open on your router?
Methinks it is you that is full of fail.....
LAN?
Enjoy your lack of LAN play on starcraft and the like. LAN is something else that seems to be going away.
And you evidence for that is ... a weak blog article.
A weak blog article that totally ignores the Wii phenomenon and the popularity of the recent mariokart etc.
"The obvious point that I made is that when you are a grown up, you have less inclination and opportunity to have this kind of gaming experience"
Says you. Other people still find time to visit buddies, have a few beers and play a game or two.
Generalising from yourself to "all grown ups" is silly.
So people that want to play in the same room as each other have some growing up to do?
Nice logic there sparky.
How's about this one to turn it around - People that play online games largely seem to suffer from a social disorder that results in them shutting themselves away in a darkened room for hours on end, playing games against complete strangers. Some people with a more society-normal social instinct still enjoy games but prefer to do so in company.
Then I hope routers will come with this stuff enabled by default.
And I hope that if ISPs make any changes that require home users to do anything, anything at all, that they have a lot of budget and helpdesk staff for existing customers and their diverse array of IPv4 hardware.
TBH (other than address space filling up) NAT wasn't imposed anyway. In the UK there were a variety of enthusiast ISPs that were happy to give out multiple public IP addresses if you wanted them.
Split-screen co-op is a sociable way to spend an evening with a mate or two (drop in a few beers too, of course).
I was most upset when it wasn't included in Resistance 2, after Resistance 1 had it. Turned it from an awesome shared experience to taking turns and one of you being a bit bored.
"So your mother likes it when random programs cannot connect to the network and do their job properly? (such as voip etc) something tells me she'll just shift the blame to the program instead of the broken use of nat."
Programs?
My mother has just about worked out how to start "the google", by which she means Firefox. I am perfectly comfortable with her having one-way internet.
Unless you want to argue that people being able to click 'host game' and having their friends connect to it is not something a normal person would like to do among other things, people DO need two way communication.
Hate to point it out, but the fashion has been to remove LAN capabilities from games recently....
There are different grades of net user with different requirements, for some with no clue (make that a lot with no clue) having NAT is a godsend. A properly configured firewall could be just as well, but I bet we're going to see a lot of badly configured (or just hackable) IPv6 routers over the next few years that just let people address all the sweet, unprotected devices beyond.
Not to mention that an IPv6 router without NAT is still going to require manual opening of ports, unless you're also in favour of the massive security risk that is UPnP for router control.
Having a private internal address doesn't fix those less-secure devices -- it's the device at the gateway to your home that permits or denies access.
True, but having them not even publicly routable gives me a better feeling about this than 'relying' on a firewall device. That's probably more of an emotional than factual response though.
It seems like the difference between a passive and active nuclear reactor damping system. An active one requires power and everything to be operational to intervene, a passive one requires power and operational status to stop the damping.
Nat essentially makes the internet one-way and to get around it involves serious hacks.
Which is PERFECT for people like my mother.
Suuure, because being against seriously breaking networks is a religion...
Not everyone considers it broken.
router does this job, most modern ones already do. get a domain for your network and allocate subdomains from your router.
LOL.
Get a domain! We're not talking about my network here, I'm tech savvy enough to set up whatever I want to. That said it's not like most folk would know an IP address if it bit them on the arse so fair enough, those of us that need to do stuff probably can.
I'd dispute that 'most' modern routers have this function though, and of the ones that have had it it's worked for about 50% of attached devices.
Not having machines publicly addressable is most definitely a security advantage.
I hear this all the time, that it's insecure, but I have yet to hear an actual good reason, do you have one?
Because NAT is perfect for plug-n-play devices with questionable per-device security. Why on earth should consoles and internet-aware appliances at my folks house need a public address? They don't know much about security and getting rid of in-home NAT just exposes them to far more risk.
NAT == BAD seems to be a religious expression more than anything actually practical.
As for DNS... are we going to have a DNS server in every home now too? Every device is going to agree on the same WINS-style home-DNS registry protocol?
The UN is extremely effective at what it's designed for -
Peacekeeping and conflict prevention.
Yes, something modern like C or C++
"For one, AES is designed to have fixed key sizes, so "just switching to 512 bits" is not as trivial as you may think."
Err, no. AES was based on a simplification of Rijndael, which was designed for arbitrary key lengths. It should be fairly easy to adapt the AES algorithm to longer keys.
Maybe not trivial, but likely not that hard.
Meh, I was bored and it was more fun writing that than doing any work.
"And none of the hackers have actually hacked anything with regards to the PS3."
INCORRECT
The jailbreak is a bona-fide hack. It uses the USB ID of the Sony jig, but it then busts the USB driver stack and overwrites some kernel memory. This is a real exploit and not just a service mode device.
Most of the devices can now emulate a service-mode jig as well, but that only gets you the ability to downgrade software. The original hack is just that, a hack.
And the work on the PS3 is progressing, though slowly. A FOSS SDK is in the works and can now do some stuff, linux is there (though the main guy doing that seems to have disappeared) folks are working on customising the firmware to enable extra/debug features, just in the last few days another user has started figuring out a perma-break (i.e. dongle free) solution...
The 'scene' is young but there are people doing stuff, it's just that (unfortunately) Sony did quite a good job with things like firmware signing.
1. Eric Raymond
2. The Cathedral and the Bazaar
3. I don't believe he said that.
4. It was never true. Linux is now as easy as windows to get things done with, easier for a lot of people. Not to mention that back in the days when it was damned hard work to get it working properly you were still learning about system internals and increasing your knowledge, therefore your skill set and marketability. Not to mention that my (huge, multinational) employer seems to think linux is fine for the desktop and the server room. And they have to pay for their employees' time.
The value added is that people will buy more FOSS friendly hardware if they wish to use debian, and that developers will turn their attention to any major gaps in support.
I've been running squeeze on multiple different architectures for months and haven't found anything it doesn't support yet.
In conclusion, you're a troll.
Stallman would say that we still need the code to have the freedom to customise it and redistribute our changes.
Yes, RMS is a zealot, and no, I don't agree with all of his politics, but he makes some good points. This is one of them.
I'm willing to compromise for a working system, but if I don't have to (by buying hardware that uses completely open firmware) then that's even better.
You're laughing because you have to apply and pay for a protest permit in the land of the free, but in much of the rest of the western world one simply informs the police what's going on and works with them out of courtesy?
And the US comes out of this looking great how? /confused, maybe I just don't get your sense of humour
Oh sure, but the fact is that enough people are interested in Linux and in netflix that there's a pretty good chance you'd find netflix backends for various FOSS media players in pretty short order.
And there was no 'whoosh' needed there. I just wanted to make the point that *you* may have an opinion on what constitutes open source, but it doesn't necessarily agree with everyone else's. It's not just linux, but neither is it some magical collaborative development model. It's just what it says - open source.