A point isn't a "unit for font measurement" - it is a unit of length. It is exactly 1/72nd of an inch, always. If one pixel is 1/106th of an inch on a 12" powerbook, then 1px!=1pt on that system.
Planet earth calling asdfghjklqwertyuiop... have you ever considered the logistitics of stashing ***2^64 PHYSICAL DEVICES IN YOUR HOME***??? You can't get that many RFID tags into a large mansion, let alone cellphones or PC's
Sigh... Come on now, this only requires third grade reading comprehension skills. Look at my original post he was replying to. I know how many addresses 2^64th is. I myself said in that post "That's over three times the surface area of the earth. Measured in square millimeters. For your network alone". The point that statement was to refute his statement that "we will run out eventually, and much sooner than we expect".
Well yes. But, security, like ogres, onions, cake, and parafait should have layers. NAT provides a, yes rather weak, layer. But it is still a layer. So doing both is a good thing.
Not really. At best, it allows you to place the security of your network into the hands of your ISP by assuming that the ISP will never ever send packets addressed directly to your internal hosts to your router's external interface. I don't call that a layer of security, let alone one that is worth the inconveniences NAT provides.
That's a weakness that NATs share with firewalls. So you're hardly making a case for NATs being weaker than firewalls.
No it isn't. No correctly set up firewall will be susceptible that type of attack where the ISP makes your network routable.
On the other hand, if you aren't using a firewall, every kind of NAT will be susceptible to that because NAT alone doens't drop any packets, ever. It just translates or does not translate.
Perhaps your point isn't clear. The cheap NAT gateways (actually PAT, see below) everyone else is talking about don't do this (ie are secure), but I assume you are refering to a larger scale Cisco Router that a begining network admin might activate NAT on thinking it will secure him.
Yes, that's right. But most of the cheap NAT gateways probably function that way interally also. It is just the web interface that prevents you from setting it up in that way.
For example, a number of linksys routers run linux. Linux can definitely be configured to NAT and NAT only, and it won't drop a thing. It is just the linksys web interface that prevents you from configuring it that way.
Honestly, your concerns sound like a seriously broken NAT implementation. If the "device" is not explicitly listening for the private IP address on the outside interface, why the heck isn't it dropping the packet thats not meant for it?
It isn't broken. It just isn't a function of NAT to decide to drop or accept packets. NAT just rewrites or does not rewrite. In just about every type router there is, NAT and firewalling are separate and distinct things. The NAT standards don't specify dropping packets if they can't be rewritten, and it is just good design to keep those things separate. It gives you more flexibility and power and makes debugging easier.
The decision wether to drop or accept is a function of the firewall.
There's nothing broken about a NAT implemenation that only Translates Network Addresses. It would be broken if it ever did more than that.
That's funny from the link you provided I read the line/128 when it is absolutely known that one and only one device is connecting. I'd say that almost all current ISP's would sell that as a standard home user address allocation, and charge for anything bigger similar to what they do already.
You read right - when it is absolutely known that only one device is there, give it a/128. IE, for the end of a point-to-point interface. In your hypothetical situation the ISP is playing games. They should be giving out/48s or/64s since home networks are so abundant these days.
With IPv6 space so abundant, there is no reason for them to not assume that and just give them out by default.
However, all/48 assignments to end sites are required to be registered either by the LIR or its subordinate ISPs in such a way that the RIR/NIR can properly evaluate the HD-Ratio when a subsequent allocation becomes necessary. This translates to all/48's must be registered address spaces. eg apnic, arin etc needs to be notified of the end user / end company it is assigned to. From that extra volume of work I'd have to say ho home user would ever get that without paying for it.
I didn't interpret it that way... key works "LIR or its supordinate ISPs". Sounds like they just want the ISP to keep accurate records that they can present to the registry as justification for its allocated address space. They already have to do that with IPv4 space anyway if they want portable allocations directly from the registry (which most sizable ISPs do).
I feel I must point out your link was to apnic.net (asia pacific region), NOT ARIN (which most follow) or equivilent links to RIPE etc.
I think the others have similar pratices... that is, in general, end subscribers are supposed to get get/48s.
For a start, a lot of ISPs only offer one address, partly to encourage people to buy more expensive packages with multiple addresses, and NAT transparently solves that issue.
NAT doesn't transparently solve that issue at all. Nothing about NAT is transparent, quite the opposite. NAT is no substitute for real addresses for many reasons.
There is no reason to assume that increased avilability of addresses will cause ISPs to offer more addresses to consumers - after all if they anticipate 100,000 single PC broadband connections, they are going to find it hard to get approval for 800,000 addresses (to allow a/28), even with the increased address space.
Read the standards and allocation policies for IPv6. The minimum amount of address space that the registry expects any end subscriber to get from the ISP is a/48 or/64 at a minimum. Given that fact, it will be quite easy for an ISP to justify a mere 800,000 addresses.
And even when you do have multiple addresses allocated, what about the users that have one more machine than usable addresses? Small company networks etc? Now matter how many addressed IPv6 supplies, we will run out eventually, and much sooner than we expect.
We will run out of IPv6 addresses much sooner than expected? Do you have any idea how many IPv6 addresses there are? Given the standards above, the smallest amount that will be allocated to any single subsriber is/64 = 2^64 = 18,446,744,073,709,551,616 addresses
That's over three times the surface area of the earth. Measured in square millimeters. For your network alone.
In the end NAT offers security, [...]and a reasonable form of security
simplified network management with an excellent delineation point between vendor and consumer (the ISP dosen't have to worry about what is inside the end user network),
The ISP never has to worry about what is inside the end user network anyway. The only thing they're concerned with is the size of the prefix they're routing your way. That doesn't make any difference to them in terms of resource usage on their equipment. Only how many of their finite number of addresses are being consumed. And IPv6 makes that virtually irrelevant.
Care to explain how a statefull firewall makes one piss of difference to Grampa Pamade and Granny Goldbond over NAT? Either of those two needs to configure a proxy server to cache and control web sites accessed?
Sure. The firewall actually protects them from attacks. NAT doesn't. It just rewrites the addresses on certain packets. If a packet comes in to the outside interface of their router addressed to an internal host and thus not applying to NAT, it will go right on in. A firewall will block it.
Exactly. What the H*ll is a packet with a source or destination IP address of the private address space doing on the public internet? Why don't ISP's filter this crap at its source, the networks edge, instead of making me deal with this fluff.
They do. That doesn't save your ass in these situations:
Scenario 1: ISP gets hacked. Attacker sets up routes to your internal network. Attacker now has full access to your network and never even needed to lay a finger on your "firewall".
Scenario 2: Broadband ISP has everything set up such that the outside IPs of all customers in the area look like they're all on one big ethernet. Road Runner (Time Warner's cable ISP) works this way. Other customers in the area can set up routes to your LAN right on their own routers.
And people who consider the security of their own networks "fluff" are better off not being connected to the internet at all. They're just providing connectivity to that many more spam/ddos zombie hosts.
And for the record, have you actually tried this little experiment?
Yes.
most devices I know of would just drop that clearly troubled packet in the old bit bucket, not carefully move it to the "right side of the fence".
Most devices you know of (ie, cheap consumer broadband routers) are not capable of being confiugred to perform NAT without filtering, at least not through the idiot proof web interface (and that's certainly a good thing).
3) Views are a nice feature, but most often used to support business and reporting. I don't like managers connecting to the database to run queries (SELECT * FROM very_large_table_1, very_large_table_2; and suddenly you have cartesian join that results in tens of millions of rows coming back, bogging everything down). To do reports, views aren't necessary.
I'd say they're more often used to implement security than for reporting these days. If you've got a table which you only want certain rows or columns to be visible to particular users, generate a query that yields the right data for them and turn it into a view. Then grant them permissions to the view but not to the underlying tables.
Have you ever looked on the back of a Nintendo cartridge? It says "Licesned by Nintendo." In plain English, despite paying $50 for a physical copy, they can come knocking on your door and take it back if they want, since its only licensed. Same with Windows. And HBO. Implied Contracts - Google it.
I did google it. What I found (on wikipedia) was "There is an implied in fact contract when the circumstances of the case and the circumstances surrounding the fact indicate than an agreement have been reached.". In this Nintendo game, the only agreement that has been reached was that I'd pay them $50 and they'd give me a copy of the game. Nothing about them being able to take it back at will.
What if the downloader is already an HBO subscriber, and just happened to miss the episode? HBO loses zero income to such downloaders, so you can't paint everyone with the same brush in this case.
It doesn't matter. Becoming an HBO subscriber doens't give you ownership of their copyrights. The people that are distributing this show via BT are violating copyright, plain and simple. Even if you are a legit subscriber you are violating copyright as BT also shares the pieces of the content with others as it receives them (unless you want it to perform like crap).
Consumers would be legally sanctioned to break their contracts with the content provider. No sane business operator enters a contract in which one party has the right to disregard its terms at will,
What on earth are these contracts he speaks of? The vast majority of content providers do not require a contract. I know I have never been asked for one.
Use Blowfish or Twofish for proper 2 way encryption.
And then how do you store the key? On a USB flashdrive?
And what's "2 way" encryption?
Re:Why should you.. or anyone care?: Slave Mentali
on
Pay vs. Happiness
·
· Score: 2, Funny
If you've got a 35-hour workweek, 6 weeks of paid vacation every year, free healthcare, free schooling through Bachelor's-level for your kids, and a guaranteed old-age pension.... would you give it all up so you could live in a country that had a slightly higher GDP????
It's a good thing until some naieve soccer mom or religuous nut job finds out you can get porn (gasp) through this muni broadband and then starts making a big stink about their tax dollars paying for their children to be corrupted. Then some local politician decides to cash in on the publicity and proposes a "save the children!" law to censor the whole local network.
Let's change DRM (Digital Rights Management) to DUM (Digitally Unusable Music), then we can call them "DUM CDs". Why accept the language of your opponent? Put it into plain terms people can understand.
Lets start calling copy protection defeating software Digital Rights Management software. We have rights that need to be managed too.
You can do anything (except copying for profit) you want with the disc, unless there is a contract preventing you from doing something. If it says "you are not allowed to play it on a Mac" well then you're not allowed to play it on a Mac.
But there is no such contract. I have never been required to sign a contract before buying a CD, have you?
And if you want x86, why would you buy Intel? Currently AMD runs rings around them architecture-wise and at competitive prices. Intel's and Apple's future lies in vapour-laden marketing material.
Because AMD has nothing that can compare to the Pentium M. Neither does IBM with their PPC chips, that's why Apple is switching.
Why is there more than one D/A conversion going on if your car stereo has a line-in? The mp3 player would convert it to analog, and why would the stero convert it to digital again? It just needs to amplify the line-in.
But for a personal/home individual with 100+ GB of data, RAID is certainly loads better than hassling with tape backups or trying to create split ZIP volumes to burn to a DVD set, etc,
Copy it to an external hard disk or rsync to another machine.... backing up (really backing up) 100GB is not rocket science, nor that incredibly expensive.
Just make sure they're 3 LCDs. I had a triple head CRT setup for a while, kind of hard on the eyes. I traded it all in for a lightweight laptop with a high res display... I miss all the screen space, but I'm much more comfortable laying/reclining on the balcony while programming than sitting at a desk all the time.
Slashdot Mirror
A point isn't a "unit for font measurement" - it is a unit of length. It is exactly 1/72nd of an inch, always. If one pixel is 1/106th of an inch on a 12" powerbook, then 1px!=1pt on that system.
Sigh... Come on now, this only requires third grade reading comprehension skills. Look at my original post he was replying to. I know how many addresses 2^64th is. I myself said in that post "That's over three times the surface area of the earth. Measured in square millimeters. For your network alone". The point that statement was to refute his statement that "we will run out eventually, and much sooner than we expect".
Ummmm... speaking of "lamers who don't know networking", do you even know what NAT is?
I don't see what the problem is. If you only have one host you get a /128. If you have more than one host, they'll give you a /48 on request.
Not really. At best, it allows you to place the security of your network into the hands of your ISP by assuming that the ISP will never ever send packets addressed directly to your internal hosts to your router's external interface. I don't call that a layer of security, let alone one that is worth the inconveniences NAT provides.
No it isn't. No correctly set up firewall will be susceptible that type of attack where the ISP makes your network routable.
On the other hand, if you aren't using a firewall, every kind of NAT will be susceptible to that because NAT alone doens't drop any packets, ever. It just translates or does not translate.
Yes, that's right. But most of the cheap NAT gateways probably function that way interally also. It is just the web interface that prevents you from setting it up in that way.
For example, a number of linksys routers run linux. Linux can definitely be configured to NAT and NAT only, and it won't drop a thing. It is just the linksys web interface that prevents you from configuring it that way.
It isn't broken. It just isn't a function of NAT to decide to drop or accept packets. NAT just rewrites or does not rewrite. In just about every type router there is, NAT and firewalling are separate and distinct things. The NAT standards don't specify dropping packets if they can't be rewritten, and it is just good design to keep those things separate. It gives you more flexibility and power and makes debugging easier.
The decision wether to drop or accept is a function of the firewall.
There's nothing broken about a NAT implemenation that only Translates Network Addresses. It would be broken if it ever did more than that.
You read right - when it is absolutely known that only one device is there, give it a
With IPv6 space so abundant, there is no reason for them to not assume that and just give them out by default.
I didn't interpret it that way... key works "LIR or its supordinate ISPs". Sounds like they just want the ISP to keep accurate records that they can present to the registry as justification for its allocated address space. They already have to do that with IPv4 space anyway if they want portable allocations directly from the registry (which most sizable ISPs do).
I think the others have similar pratices... that is, in general, end subscribers are supposed to get get
NAT doesn't transparently solve that issue at all. Nothing about NAT is transparent, quite the opposite. NAT is no substitute for real addresses for many reasons.
Read the standards and allocation policies for IPv6. The minimum amount of address space that the registry expects any end subscriber to get from the ISP is a
We will run out of IPv6 addresses much sooner than expected? Do you have any idea how many IPv6 addresses there are? Given the standards above, the smallest amount that will be allocated to any single subsriber is
That's over three times the surface area of the earth. Measured in square millimeters. For your network alone.
No it doesn't. read the rebuttals
The ISP never has to worry about what is inside the end user network anyway. The only thing they're concerned with is the size of the prefix they're routing your way. That doesn't make any difference to them in terms of resource usage on their equipment. Only how many of their finite number of addresses are being consumed. And IPv6 makes that virtually irrelevant.
Sure. The firewall actually protects them from attacks. NAT doesn't. It just rewrites the addresses on certain packets. If a packet comes in to the outside interface of their router addressed to an internal host and thus not applying to NAT, it will go right on in. A firewall will block it.
They do. That doesn't save your ass in these situations:
Scenario 1: ISP gets hacked. Attacker sets up routes to your internal network. Attacker now has full access to your network and never even needed to lay a finger on your "firewall".
Scenario 2: Broadband ISP has everything set up such that the outside IPs of all customers in the area look like they're all on one big ethernet. Road Runner (Time Warner's cable ISP) works this way. Other customers in the area can set up routes to your LAN right on their own routers.
And people who consider the security of their own networks "fluff" are better off not being connected to the internet at all. They're just providing connectivity to that many more spam/ddos zombie hosts.
Yes.
Most devices you know of (ie, cheap consumer broadband routers) are not capable of being confiugred to perform NAT without filtering, at least not through the idiot proof web interface (and that's certainly a good thing).
I'd say they're more often used to implement security than for reporting these days. If you've got a table which you only want certain rows or columns to be visible to particular users, generate a query that yields the right data for them and turn it into a view. Then grant them permissions to the view but not to the underlying tables.
I did google it. What I found (on wikipedia) was "There is an implied in fact contract when the circumstances of the case and the circumstances surrounding the fact indicate than an agreement have been reached.". In this Nintendo game, the only agreement that has been reached was that I'd pay them $50 and they'd give me a copy of the game. Nothing about them being able to take it back at will.
It doesn't matter. Becoming an HBO subscriber doens't give you ownership of their copyrights. The people that are distributing this show via BT are violating copyright, plain and simple. Even if you are a legit subscriber you are violating copyright as BT also shares the pieces of the content with others as it receives them (unless you want it to perform like crap).
What on earth are these contracts he speaks of? The vast majority of content providers do not require a contract. I know I have never been asked for one.
And then how do you store the key? On a USB flashdrive?
And what's "2 way" encryption?
What country is that?
It's a good thing until some naieve soccer mom or religuous nut job finds out you can get porn (gasp) through this muni broadband and then starts making a big stink about their tax dollars paying for their children to be corrupted. Then some local politician decides to cash in on the publicity and proposes a "save the children!" law to censor the whole local network.
Lets start calling copy protection defeating software Digital Rights Management software. We have rights that need to be managed too.
But there is no such contract. I have never been required to sign a contract before buying a CD, have you?
Because AMD has nothing that can compare to the Pentium M. Neither does IBM with their PPC chips, that's why Apple is switching.
Why is there more than one D/A conversion going on if your car stereo has a line-in? The mp3 player would convert it to analog, and why would the stero convert it to digital again? It just needs to amplify the line-in.
Copy it to an external hard disk or rsync to another machine.... backing up (really backing up) 100GB is not rocket science, nor that incredibly expensive.
Just make sure they're 3 LCDs. I had a triple head CRT setup for a while, kind of hard on the eyes. I traded it all in for a lightweight laptop with a high res display... I miss all the screen space, but I'm much more comfortable laying/reclining on the balcony while programming than sitting at a desk all the time.
Its called the menu bar.