My employer for eample, will be a hard nut to crack in getting him convinced that VOIP is viable. What should my strategy be?
For a start, don't use Skype. It's a bad protocol design which is propriatory. You're far better off building your VoIP infrastructure on open technologies (IAX2 or SIP). Use of open technology is especially a big deal for companies since they're going to want to put in a local PABX, etc (Asterisk does an excellent job here). There is nothing that Skype does that can't already be done with open technologies - look around and you'll find plenty of SIP/IAX to PSTN gateways that you can use, and you can set up Asterisk to do least-cost routing amoungst several of them. It's worth noting that VoIP is very worthwhile if you have multiple physically separate offices, work-from-home users, etc.
If you receive real, globally routed IPv6 addresses and your ISP behaves as it should and gives you a/48 subnet or similar, you won't need a router of your own. Just connect all your machines to a switch
I don't know about you, but my ISP doesn't give my a nice ethernet connection to plug into. I have a DSL router which talks to the ISP and routes traffic from my local subnet (which is a real-world subnet) to the isp over the DSL. I know this varies from country to country, but here in the UK our DSL is entirely PPPoA which means that the DSL router really does need to understand the protocol you're using - most only understand IPv4 (i.e. noone has made a PPPoA bridge yet).
I still think VOIP directories should be available through services like ddns.
They can and they are, so long as you're not using a propriatory system. The ENUM system lets you do exactly this (have a look at e164.org). You register your phone number with the system along with details of what VoIP protocol you use and the address of the VoIP phone (or PABX). That address can quite happyilly be handled by a DDNS system somewhere, and people can look up your number on the ENUM DNS servers and then use those details to make a VoIP connection.
But in the long run, there will be no need for this anyway because when the PSTN finally dies there will be no need for phone numbers - you will just have email style addresses.
Honest question, what does SIP, an all in one protocal, offer you that traditional implementations don't?
Ok, I think IAX2 is a far better protocol than SIP because it's not as complex from the networking point of view, so this reply will be based on VoIP in general rather than specifically SIP.
There are 2 areas to consider, the first is an internal (e.g. office-wide) phone system and the second is a replacement for the PSTN:
Office phone system: 1. Less cabling infrastructure - instead of separate cables for phone and data you can run both down the same wiring. This is a big deal in large buildings. 2. You don't necessarilly need to invest in actual physical phones, you may find it advantageous to have a softphone on your workstation instead. 3. People who are out of the office can log into the phone system from home/hotel/wherever and use it as if they were on an internal extension. 4. You can hook all your branch offices into the main phone system over the Internet. 5. I'm sure there are more advantages:)
As a PSTN replacement the big deal is that there is no phone company involved unless you're having to gateway to the PSTN, thus no call charges. This is really good news for anyone who spends vast amounts of money on calls. And even if you're gatewaying to the PSTN you can do least-cost routing to gateways near the destination. i.e. if I run a business with customers in the UK, US, Australia, etc. I could subscribe to gateways in those countries and route the calls appropriately, which is likely to be way cheaper than paying BT to carry international calls.
At some point in the future (hopefully soon), the PSTN won't exist at all - you will phone people over the internet using nice easy to remember phone addresses in the same way as you use email addresses. You won't pay anyone to carry those calls, just your usual internet bandwidth charges. You can already do this now if you're phoning the right people. e.g. you can phone the speaking clock running on my Asterisk server by calling IAX2/pabx.nexusuk.org/slashdot
This is one of the primary reasons for dumping IPv4 and going IPv6.
I have been working on setting up my own IPv6 network. I am even investigating the possibility of getting true native IPv6 addressing along side IPv4 from my ISP.
I too have been using IPv6 for a while, unfortunately Asterisk currently doesn't support it.
You don't actually need a native IPv6 connection from your ISP - you can get away with using 6-to-4 dynamic tunnelling, which is what I do. Infact a big problem with rolling out IPv6 naviely is that I am not aware of any consumer grade DSL routers that support IPv6, so the PC to ISP connection at least would have to be tunnelled. Of course I'm hoping most ISPs wake up soon - if the ISP I use installed their own 6-to-4 gateway (and preferably advertised it using the anycast address) then I would be very happy.
By far the fastest way to roll out IPv6 would be to have the next version of Windows configured to use it by default. The shear number of people who wouldn't know anything about it would increase the size of the IPv6 network massively.
The ability to circumvent NAT is why programs like Skype have such popularity and why Linux users looking for more control have been quick to investigate Asterisk and it's IAX2 protocol.
I think IAX2 is definately the way forward because of it's external simplicity (one fixed UDP port carries everything).
I believe Skype uses a TCP session to carry the traffic, which makes it a fundamentally bad design (not to mention closed and propriatory). Unfortunately it's easy for complete eejuts to set up and they have good marketting so they're getting some business. (of course there is nothing that they're doing which a IAX to PSTN gateway couldn't do with some decent software and a marketting budget).
Speaking of which, does anyone know of any decent IAX2 or SIP softphones for Linux? ATM I'm using IAXComm which is not without it's problems. Kphone was unstable and almost totally feature-free when I tried it. GnomePhone is IAX1, not IAX2. GnomeMeeting is H.323 only (although they've been saying the next version will have SIP for the past year)...
(I'm also looking around for a Symbian UIQ softphone to run on my P900 but as far as I can tell, none exists).
Open standards are all very well, but for the time being at least, SIP is going to be a good technology so we can connect our computers to big carrriers and interoperate with the POTS.
In the end there will be no such thing as a telephone service provider - the PSTN will eventually die so there will be no need to gateway to it and then it's only a matter of time before everyone using Skype, etc realises they can do everything with direct peer-to-peer communications and skip the 3rd party completely.
The whole phone system is likely to move to a setup similar to email, where you will just enter an email style address and it'll connect you (we will need something similar to MX records in the long run I think). We're already part way there - i.e. you can call IAX2/pabx.nexusuk.org/slashdot to get to the speaking clock on my Asterisk server.:)
Problem is, many states don't have laws against frivilous lawsuits, so there may be no basis for a countersuit, especially if the spam itself were not illegal.
When you sign up to an ISP you agree to their AUP. If you've broken the AUP then they have every right to kick you out. I cannot see how you can seriously sue someone for informing the ISP that one of their customers was breaking the AUP. (Infact, I'm sure most AUPs give the ISP the right to terminate your service at their discretion).
You claim that NAT is a kludge. How so ? It provides a usefull feature and the ability to have a stand alone internal network with a single access point.
It is a kludge to work around the lack of IP address space. If there were enough addresses to give one to every machine (see IPv6) then you wouldn't need it - you can still have an internal network with a single access point, but every machine on that network would have a real IP address.
Gaurding every box on a network singularly is a PITA and far FAR beyond what the average person or corporation wants to do.
Why do you need to guard every box singularly? Just tell the firewall between your network and the internet to not allow incoming connections for your subnet. You do not require NAT to do this.
My point was not that NAT does not have security benefits, it was that you do not need NAT to get the same (better) security just as easilly (easier infact since you avoid the problems associated with translating addresses).
Since home routers use private network addresses (such as 192.168.x.y), if anyone on the internet sends out a packet your internal IP address it will be dropped by the first router it encounters because it will be unroutable.
*sigh* you haven't read what I said - Yes, it is unlikely but it seems like bad security to me for your security to rely on hardware you don't have access to to be configured correctly when there is a better way.
so unlikely that it can be ignored completely
I'd hate to have you doing security programming. "Oh yes, they could overrun that buffer and get root access, but it's statistically so unlikely that I'll ignore it... oops, they just did".
A big chunk of security work is thinking up unlikely things which could happen and closing those holes.
I know exactly how NAT works. If someone connects to one of your *INTERNAL* addresses from the outside world (not the router's address) then the router *WILL* allow the traffic through - all consumer grade DSL routers I've come across do this in their default configuration. since the traffic is directly addressed to the internal network it will bypass the NAT system completely. (Trust me - I've seen it happen several times on misconfigured customer's routers).
Compare to a connection tracking firewall, which does connection tracking in the same way as a NAT system does, except it actually does firewalling based on it.
In any case, my original arguement wasn't to discount the security that you inherently get from a NAT system, it was to say that you get at least the same security from a connection tracking firewall without many of the inherent problems you get from NAT, so in the case where you don't need NAT it would be better to avoid it. (From a technical perspective).
And as to my comment that you questioned, it is simply that you would find it difficult to find an ISP over here that would give you a block of IP addresses for free.
So your original comment that *I* wouldn't get an ISP account is completely wrong, you meant that *YOU* wouldn't be able to get a suitable account. As I said, in the UK it is very easy to get small IP subnets for free from any reasonable DSL provider if you need them. It seems that people in the US are being royally screwed then by being charged for something which is free.
Let's assume that the script kiddie in question is across the country. They send a packet to 192.168.0.1. How does this get to me? Answer: it wouldn't. This is a non-issue. You cannot route this packet, as the address does not go anywhere.
Your assumption is invalid - the script kiddie could be on the same ISP as you, connected to the same ISP-side router.
If a packet does not match the data in the table, it is blocked.
If the packet is destined for the router's address then yes it's blocked. If it's destined for a machine behind the router then it won't be blocked (I know of no consumer grade DSL router which blocks such packets by default). My whole arguement is that you are in part relying on the ISP not to actually route certain packets to you. Admittedly the chance of them doing so is small but IMHO relying on their configuration at all is inherently bad security.
You still haven't explained where the _security_ advantage is in using NAT over a connection tracking firewall.
Then we would not be having this discussion, except maybe by snail-mail. You simply would not be likely to have a broadband connection.
Err, huh? Explain how you came to this conclusion?
Ummmmm. Some random script kiddie at some random IP address sends a packet my way. My NAT box ignores the packet, and my PC never even sees it. I find some value in this. This is not 100% security, but it sure helps. Traffic cannot find its way in unless my PC first opens a port to that specific IP.
Wrong, if your PC is on 192.168.0.1 (for example) and some random script kiddie sends a packet to that address which somehow gets routed to you (maybe your ISP's router is misconfigured) then your NAT router will route it to your PC with no problem at all. So as I said, you are relying on the behaviour of the ISP's router's being "correct".
Doing NAT requires the router to do some kind of connection tracking. However the router doesn't block based on that connection tracking. Compare with a connection tracking firewall which will do all the connection tracking and actually block packets based on that without doing NAT - you get better security (i.e. the same amount of security you get if you combine NAT with a properly configured ISP, but without actually having to rely on the ISP to be configured correctly), plus you don't get any of the many problems that NAT causes.
Assuming there is no IP address shortage, where is the advantage of using NAT instead of a connection tracking firewall? There is none. There are however big disadvantages with doing NAT.
Also, I would rather doubt that ISPs in America will start handing out blocks of addresses without wanting some money. At one time, my cable modem provider wanted $10 per month for an additional IP. v6 will make them more plentiful, but why would they want to turn down a free revenue stream? I admit that I could be wrong, but I am used to being charged for everything, especially with cable providers
I think you're being completely ripped off - I would never use an ISP that took this kind of attitude (and as I've already said, in the UK it's exceptionally easy to get small subnets for free if you can justify the use, even on cheapo home DSL accounts).
The whole point of IPv6 is to make IP addresses so plentiful that everyone has practically as many as they need without the use of NAT (e.g. you could have lots of IP-enabled appliances in your home). The concept of ISPs only giving you a single IPv6 address compeltely undermines the concept. Remember that the internet was _never_ designed to be a client/server model, it was always designed to be peer-to-peer, and that's a concept that NAT destroys.
Imagine being able to log into your central heating system and turn on the heating remotely when you're returning from holiday, etc. Yes, there are obviously security considerations but it's that kind of useful stuff that you can do if you have massive amounts of address space.
(Not to mention the fact that having 128bit address space probably makes network scanning by worms reasonably unfeasable).
Almost, but not quite. For home users, NAT will always have a place, as long as ISPs only include one IP address, and want to charge $$$ for a second or third IP.
They shouldn't be doing this under IPv6 - everyone will be getting a reasonable sized subnet. And besides, if your ISP is doing this under IPv4 you need to change ISP - I have a normal home user account from PlusNet and they are quite happy to hand out small IP subnets (4, 8 or 16 addresses) for free so long as you can provide justification for their requirement. Most reasonable UK ISPs will do this for DSL connections on their standard accounts, if this isn't the case in the US then I think you're being horrendously ripped off.
This was the rationale behind the first NAT boxen, with the firewall being a happy side-effect.
NAT was designed to aleviate the IP address space shortage, period. There is no reliable security in doing NAT - you're relying on your ISP's routers to "do the right thing". If you want that kind of security you need a connection tracking firewall.
What you say is true for business users who get a block of addresses, though.
As I said above, so long as you can provide justification for the need, most decent UK ISPs will give you a small subnet for free, even on home accounts. However, this wasn't the original arguement: The original arguement was that you do not need NAT for security (a connection tracking firewall does the job properly and without all the nasty side effects) and that once the IP address space problem is removed (e.g. through IPv6 roll out) you will neither need nor want NAT. NAT is a kludge that works for the short term but causes many problems - the sooner we can ditch it the better.
Correction. NAT is not as secure as any firewall. Period. NAT is not a security feature, its a convinience feature. NAT != Firewall.
Correct - using NAT as security involves relying on hardware you don't control doing something that's reasonably undefined. Specifically: if you have a windows machine on 192.168.0.1 behind a NATting router and the ISP decides to route traffic for 192.168.0.1 to your router, you router will quite happilly forward it on. (Unlikely to happen, but IMHO relying on an ISP to do what you preceive as "the right thing" is bad security).
I don't know about you... but I am not going to stop NAT'ing and/or PAT'ing my internal network off of the rest of the net no matter what verion of ipv they want to implement. I only need 1 real world IP. I only WANT 1 real world IP.
Why? The *only* reason for using NAT/PAT is to relieve the IP address shortage. Under IPv6 this will nolonger be needed so it is far more sensible to give every machine a real address and control access with a firewall. Indeed, ip6tables doesn't even support NAT because it is not required, nor usually wanted. (Ever tried to run H.323 over a NAT?)
And in answer to your question - I already use IPv6, all my machines have real world IPv6 addresses and I do no NAT on IPv6 traffic. I do, obviously, have an IPv6 firewall to control access. Of course, even now, everyone with an IPv4 address automatically has a/48 IPv6 subnet on the 6-to-4 system if they bother to turn it on. (By far the best way to roll out IPv6 support would probably be for MS to do this by default on Windows since then you would end up with millions of machines which have just defaulted to using it). Of course a big problem for the IPv6 roll out is that almost no consumer-grade DSL routers natively support it, so at least the PC to ISP part has to be tunnelled over IPv4, even if the ISP were to natively support IPv6.
Argh! Why does everyone keep talking about how wonderfully secure NAT is? NAT is just as secure as a connection tracking firewall, and far more troublesome. Hopefully when IPv6 eventually gets rolled out it will change people's views since NAT won't be needed (or wanted) anymore.
It's great that we can download stuff off the net... but in reality that could hurt the possibility of a second season.
The TV companies, MPAA, etc always complain bout people downloading episodes/movies from the net before they've been release in the respective country (hell, they even complain about people in a country where a series has been shown spoiling plot-lines for people in countries where it hasn't shown). This, of course, is one of the main reaons for the regionalisation of DVDs... not that it does any good since anyone who was going to import stuff will have deregionalised their player anyway.
Here's a stunning thought, and I'm sure noone at the TV companies or MPAA have thought about it... How about they release the series and films at the same time across the world. I'm sorry, but if you release a series in one country 6 months before it's release in another, I think you can expect people to get impatient and download it.
The difference of course with Galactica is that it's all reversed - usually in the UK we have to wat over 6 months for TV shows to come over from the US, now the US is getting a taste of what we have to put up with all the time.
Having said that, and to stay slightly on topic: my view of the new Galactica (which they keep describing as totally action packed in the trailors) is that there isn't enough action and it's taking rather too long for the story to develop. I can quite see people losing interest in it - nowhere near as good as FireFly which had a very good balance between action and story IMHO... Hey, we haven't even seen anyone flying a Viper in the last few episodes, and Baltar's imaginary cylon has been plain annoying from the start.
I'm sorry, but you do need a firewall. It can be software, and it can be one that doesn't ask you which apps can access the internet. But why would you put a naked machine on the internet with no firewall whatsoever?
If you have a firewall to block access to specific services, why have you got those services running in the first place?
A firewall is useful as a fail safe (i.e. you have to screw up the configuration of both the firewall and the services before you open a security hole), but if you're using it entirely to protect you instead of making sure your services are configured properly then you're stupid.
However, from the know-nothing consumer point of view, I think it's fair to expect that *someone* would have taken care of it.
From the customer point of view I would expect that the OS vendor would've made the default configuration of the services sane (i.e. which services are actually enabled by default and where they will accept connections from). As I said above, the only reason for having a firewall on a stand alone machine connected to the internet is as a fail safe, and that inherently means you have 2 independent controls to do essentially the same job (one to enable the service, another to poke holes in the firewall), which IMHO would not be considered user friendly by the user interface people.
If it's a ISP issue, your cable company.
I don't see how the ISP can be held responsible for you plugging an unsecured machine into the internet - that's like suing the council who own your road because they let some burglars up the road to your house which you had neglected to lock. The ISP really is no place to be doing default filtering since the very things you're filtering might actually be needed by some people so long as those people have set it up ok and understood the risks. A perfect example is SMTP - you might suggest the ISP blocks all direct SMTP connections to reduce spam and viruses transmitted by email, but some of us have securely configured SMTP systems and *do* want to use direct SMTP.
know-nothings are still somehow slipping through the cracks and their computers are getting hosed by malware.
Maybe the ISPs should offer an installation service in which they will come out to visit you and install the internet connection (together with correctly configuring your machine). Of course there is inherently cost here and I question the quality of the network engineers that many ISPs would use.
A big problem is that people want something for nothing (or at least very little) - many people would pay a mechanic to change the oil in their car, but wouldn't pay someone to configure their internet connection. If you tried to change your own oil and you under-filled the engine and caused massive damage, you wouldn't blame the engine manufacturer or the oil manufacturer would you? People have to learn where to place blame - if you don't know enough to configure the computer yourself, you can't try anyway and then blame anyone and everyone when it goes wrong.
I think it's fair for consumers to expect that, after paying all this money to tall these different people, they'd have a trouble-free means of accessing the internet.
Yes and no - I think it is fair to expect that the computer they pay for is usable and as secure as possible by default, but I don't believe it is the manufacturer or the ISP's fault when someone decides they want to turn their mail service into an open relay, and I don't believe the ISP is the place to do the majority of filtering.
It is as much about psychology, the art of the con, how cleverly you bait the trap, as it is about the technology of a particular O/S. So long as a user can install an executable, there will always be a way in.
This is true. However, a large proportion of Windows spyware is installed through security holes, and this is where education can't help (short of educating people not to use such broken software).
I think The Register got it spot on - MS are selling a toaster that will frequently catch fire (with a licence agreement that makes sure they're not held responsible) and then giving you a free fire extinguisher to stop your house burning to the ground when it does.
Why does MS get away with it, whereas anyone actually selling a toaster that frequently bursts into flames would be sued into the ground?
Even if your computer isn't vulnerable, you're still paying in terms of the bandwidth used up, both from machines outside the ISP sending virus mail into the network, and compromised machines within the network wasting outgoing bandwidth.
IMHO what should be happening (and I have no objection to this) is that the ISP detects compromised hosts on their own network and kicks them off until they're fixed. I don't honestly see a huge advantage in scanning inbound traffic in the same way - the bandwidth has already been used by the virus getting to the ISP, once inside the ISP's core network the bandwidth is essentially free. DSL lines aren't charged on a per-byte basis, and the amount of traffic caused by a virus arriving over a DSL line is reasonably small, certainly not enough to warrant paying to have the bandwidth cap raised on the line.
You wouldn't have to. Instead find yourself an ISP that advertises lower costs because it doesn't spend money on features useless to savvy users. The vast majority of people would be better off with the virus-scanning ISP. You'd be better off with the non-virus-scanning ISP.
Doesn't work like that - when the average user looks at 2 ISPs and one is cheaper, which do you think he'll choose? The answer is the cheaper one, even though they don't offer the best solution for him.... and then he'll bitch and moan about how crap his ISP is bacause it doesn't have a service that suits him.
I'm afraid I don't see that as justification for me subsidising band-aids for people who insist on running a broken OS. I would be slightly more happy if that money went into subsidising the conversion of these people to a proper OS.
Well, I guess the same applies in reverse every time you visit a website running on Windows. Doesn't it?
(Personally, I'd say "I don't think so..." to both cases)
I'd agree with the "I don't think so" comment... but more to the point I don't care if the windows machine running the website I'm visiting gets cracked:)
It's not my problem, I'm not clearing up the mess, and the only way it will affect me is that I might not be able to get to a useful website while they fix the problem.
My employer for eample, will be a hard nut to crack in getting him convinced that VOIP is viable. What should my strategy be?
For a start, don't use Skype. It's a bad protocol design which is propriatory. You're far better off building your VoIP infrastructure on open technologies (IAX2 or SIP). Use of open technology is especially a big deal for companies since they're going to want to put in a local PABX, etc (Asterisk does an excellent job here). There is nothing that Skype does that can't already be done with open technologies - look around and you'll find plenty of SIP/IAX to PSTN gateways that you can use, and you can set up Asterisk to do least-cost routing amoungst several of them. It's worth noting that VoIP is very worthwhile if you have multiple physically separate offices, work-from-home users, etc.
If you receive real, globally routed IPv6 addresses and your ISP behaves as it should and gives you a /48 subnet or similar, you won't need a router of your own. Just connect all your machines to a switch
I don't know about you, but my ISP doesn't give my a nice ethernet connection to plug into. I have a DSL router which talks to the ISP and routes traffic from my local subnet (which is a real-world subnet) to the isp over the DSL. I know this varies from country to country, but here in the UK our DSL is entirely PPPoA which means that the DSL router really does need to understand the protocol you're using - most only understand IPv4 (i.e. noone has made a PPPoA bridge yet).
I still think VOIP directories should be available through services like ddns.
They can and they are, so long as you're not using a propriatory system. The ENUM system lets you do exactly this (have a look at e164.org). You register your phone number with the system along with details of what VoIP protocol you use and the address of the VoIP phone (or PABX). That address can quite happyilly be handled by a DDNS system somewhere, and people can look up your number on the ENUM DNS servers and then use those details to make a VoIP connection.
But in the long run, there will be no need for this anyway because when the PSTN finally dies there will be no need for phone numbers - you will just have email style addresses.
Honest question, what does SIP, an all in one protocal, offer you that traditional implementations don't?
:)
Ok, I think IAX2 is a far better protocol than SIP because it's not as complex from the networking point of view, so this reply will be based on VoIP in general rather than specifically SIP.
There are 2 areas to consider, the first is an internal (e.g. office-wide) phone system and the second is a replacement for the PSTN:
Office phone system:
1. Less cabling infrastructure - instead of separate cables for phone and data you can run both down the same wiring. This is a big deal in large buildings.
2. You don't necessarilly need to invest in actual physical phones, you may find it advantageous to have a softphone on your workstation instead.
3. People who are out of the office can log into the phone system from home/hotel/wherever and use it as if they were on an internal extension.
4. You can hook all your branch offices into the main phone system over the Internet.
5. I'm sure there are more advantages
As a PSTN replacement the big deal is that there is no phone company involved unless you're having to gateway to the PSTN, thus no call charges. This is really good news for anyone who spends vast amounts of money on calls. And even if you're gatewaying to the PSTN you can do least-cost routing to gateways near the destination. i.e. if I run a business with customers in the UK, US, Australia, etc. I could subscribe to gateways in those countries and route the calls appropriately, which is likely to be way cheaper than paying BT to carry international calls.
At some point in the future (hopefully soon), the PSTN won't exist at all - you will phone people over the internet using nice easy to remember phone addresses in the same way as you use email addresses. You won't pay anyone to carry those calls, just your usual internet bandwidth charges. You can already do this now if you're phoning the right people. e.g. you can phone the speaking clock running on my Asterisk server by calling IAX2/pabx.nexusuk.org/slashdot
This is one of the primary reasons for dumping IPv4 and going IPv6.
I have been working on setting up my own IPv6 network. I am even investigating the possibility of getting true native IPv6 addressing along side IPv4 from my ISP.
I too have been using IPv6 for a while, unfortunately Asterisk currently doesn't support it.
You don't actually need a native IPv6 connection from your ISP - you can get away with using 6-to-4 dynamic tunnelling, which is what I do. Infact a big problem with rolling out IPv6 naviely is that I am not aware of any consumer grade DSL routers that support IPv6, so the PC to ISP connection at least would have to be tunnelled. Of course I'm hoping most ISPs wake up soon - if the ISP I use installed their own 6-to-4 gateway (and preferably advertised it using the anycast address) then I would be very happy.
By far the fastest way to roll out IPv6 would be to have the next version of Windows configured to use it by default. The shear number of people who wouldn't know anything about it would increase the size of the IPv6 network massively.
The ability to circumvent NAT is why programs like Skype have such popularity and why Linux users looking for more control have been quick to investigate Asterisk and it's IAX2 protocol.
:)
I think IAX2 is definately the way forward because of it's external simplicity (one fixed UDP port carries everything).
I believe Skype uses a TCP session to carry the traffic, which makes it a fundamentally bad design (not to mention closed and propriatory). Unfortunately it's easy for complete eejuts to set up and they have good marketting so they're getting some business. (of course there is nothing that they're doing which a IAX to PSTN gateway couldn't do with some decent software and a marketting budget).
Speaking of which, does anyone know of any decent IAX2 or SIP softphones for Linux? ATM I'm using IAXComm which is not without it's problems. Kphone was unstable and almost totally feature-free when I tried it. GnomePhone is IAX1, not IAX2. GnomeMeeting is H.323 only (although they've been saying the next version will have SIP for the past year)...
(I'm also looking around for a Symbian UIQ softphone to run on my P900 but as far as I can tell, none exists).
Open standards are all very well, but for the time being at least, SIP is going to be a good technology so we can connect our computers to big carrriers and interoperate with the POTS.
In the end there will be no such thing as a telephone service provider - the PSTN will eventually die so there will be no need to gateway to it and then it's only a matter of time before everyone using Skype, etc realises they can do everything with direct peer-to-peer communications and skip the 3rd party completely.
The whole phone system is likely to move to a setup similar to email, where you will just enter an email style address and it'll connect you (we will need something similar to MX records in the long run I think). We're already part way there - i.e. you can call IAX2/pabx.nexusuk.org/slashdot to get to the speaking clock on my Asterisk server.
Problem is, many states don't have laws against frivilous lawsuits, so there may be no basis for a countersuit, especially if the spam itself were not illegal.
When you sign up to an ISP you agree to their AUP. If you've broken the AUP then they have every right to kick you out. I cannot see how you can seriously sue someone for informing the ISP that one of their customers was breaking the AUP. (Infact, I'm sure most AUPs give the ISP the right to terminate your service at their discretion).
You claim that NAT is a kludge. How so ? It provides a usefull feature and the ability to have a stand alone internal network with a single access point.
It is a kludge to work around the lack of IP address space. If there were enough addresses to give one to every machine (see IPv6) then you wouldn't need it - you can still have an internal network with a single access point, but every machine on that network would have a real IP address.
Gaurding every box on a network singularly is a PITA and far FAR beyond what the average person or corporation wants to do.
Why do you need to guard every box singularly? Just tell the firewall between your network and the internet to not allow incoming connections for your subnet. You do not require NAT to do this.
My point was not that NAT does not have security benefits, it was that you do not need NAT to get the same (better) security just as easilly (easier infact since you avoid the problems associated with translating addresses).
Since home routers use private network addresses (such as 192.168.x.y), if anyone on the internet sends out a packet your internal IP address it will be dropped by the first router it encounters because it will be unroutable.
*sigh* you haven't read what I said - Yes, it is unlikely but it seems like bad security to me for your security to rely on hardware you don't have access to to be configured correctly when there is a better way.
so unlikely that it can be ignored completely
I'd hate to have you doing security programming. "Oh yes, they could overrun that buffer and get root access, but it's statistically so unlikely that I'll ignore it... oops, they just did".
A big chunk of security work is thinking up unlikely things which could happen and closing those holes.
It is clear that you do not know now NAT works.
I know exactly how NAT works. If someone connects to one of your *INTERNAL* addresses from the outside world (not the router's address) then the router *WILL* allow the traffic through - all consumer grade DSL routers I've come across do this in their default configuration. since the traffic is directly addressed to the internal network it will bypass the NAT system completely. (Trust me - I've seen it happen several times on misconfigured customer's routers).
Compare to a connection tracking firewall, which does connection tracking in the same way as a NAT system does, except it actually does firewalling based on it.
In any case, my original arguement wasn't to discount the security that you inherently get from a NAT system, it was to say that you get at least the same security from a connection tracking firewall without many of the inherent problems you get from NAT, so in the case where you don't need NAT it would be better to avoid it. (From a technical perspective).
And as to my comment that you questioned, it is simply that you would find it difficult to find an ISP over here that would give you a block of IP addresses for free.
So your original comment that *I* wouldn't get an ISP account is completely wrong, you meant that *YOU* wouldn't be able to get a suitable account. As I said, in the UK it is very easy to get small IP subnets for free from any reasonable DSL provider if you need them. It seems that people in the US are being royally screwed then by being charged for something which is free.
Let's assume that the script kiddie in question is across the country. They send a packet to 192.168.0.1. How does this get to me? Answer: it wouldn't. This is a non-issue. You cannot route this packet, as the address does not go anywhere.
Your assumption is invalid - the script kiddie could be on the same ISP as you, connected to the same ISP-side router.
If a packet does not match the data in the table, it is blocked.
If the packet is destined for the router's address then yes it's blocked. If it's destined for a machine behind the router then it won't be blocked (I know of no consumer grade DSL router which blocks such packets by default). My whole arguement is that you are in part relying on the ISP not to actually route certain packets to you. Admittedly the chance of them doing so is small but IMHO relying on their configuration at all is inherently bad security.
You still haven't explained where the _security_ advantage is in using NAT over a connection tracking firewall.
Then we would not be having this discussion, except maybe by snail-mail. You simply would not be likely to have a broadband connection.
Err, huh? Explain how you came to this conclusion?
Ummmmm. Some random script kiddie at some random IP address sends a packet my way. My NAT box ignores the packet, and my PC never even sees it. I find some value in this. This is not 100% security, but it sure helps. Traffic cannot find its way in unless my PC first opens a port to that specific IP.
Wrong, if your PC is on 192.168.0.1 (for example) and some random script kiddie sends a packet to that address which somehow gets routed to you (maybe your ISP's router is misconfigured) then your NAT router will route it to your PC with no problem at all. So as I said, you are relying on the behaviour of the ISP's router's being "correct".
Doing NAT requires the router to do some kind of connection tracking. However the router doesn't block based on that connection tracking. Compare with a connection tracking firewall which will do all the connection tracking and actually block packets based on that without doing NAT - you get better security (i.e. the same amount of security you get if you combine NAT with a properly configured ISP, but without actually having to rely on the ISP to be configured correctly), plus you don't get any of the many problems that NAT causes.
Assuming there is no IP address shortage, where is the advantage of using NAT instead of a connection tracking firewall? There is none. There are however big disadvantages with doing NAT.
Also, I would rather doubt that ISPs in America will start handing out blocks of addresses without wanting some money. At one time, my cable modem provider wanted $10 per month for an additional IP. v6 will make them more plentiful, but why would they want to turn down a free revenue stream? I admit that I could be wrong, but I am used to being charged for everything, especially with cable providers
I think you're being completely ripped off - I would never use an ISP that took this kind of attitude (and as I've already said, in the UK it's exceptionally easy to get small subnets for free if you can justify the use, even on cheapo home DSL accounts).
The whole point of IPv6 is to make IP addresses so plentiful that everyone has practically as many as they need without the use of NAT (e.g. you could have lots of IP-enabled appliances in your home). The concept of ISPs only giving you a single IPv6 address compeltely undermines the concept. Remember that the internet was _never_ designed to be a client/server model, it was always designed to be peer-to-peer, and that's a concept that NAT destroys.
Imagine being able to log into your central heating system and turn on the heating remotely when you're returning from holiday, etc. Yes, there are obviously security considerations but it's that kind of useful stuff that you can do if you have massive amounts of address space.
(Not to mention the fact that having 128bit address space probably makes network scanning by worms reasonably unfeasable).
Almost, but not quite. For home users, NAT will always have a place, as long as ISPs only include one IP address, and want to charge $$$ for a second or third IP.
They shouldn't be doing this under IPv6 - everyone will be getting a reasonable sized subnet. And besides, if your ISP is doing this under IPv4 you need to change ISP - I have a normal home user account from PlusNet and they are quite happy to hand out small IP subnets (4, 8 or 16 addresses) for free so long as you can provide justification for their requirement. Most reasonable UK ISPs will do this for DSL connections on their standard accounts, if this isn't the case in the US then I think you're being horrendously ripped off.
This was the rationale behind the first NAT boxen, with the firewall being a happy side-effect.
NAT was designed to aleviate the IP address space shortage, period. There is no reliable security in doing NAT - you're relying on your ISP's routers to "do the right thing". If you want that kind of security you need a connection tracking firewall.
What you say is true for business users who get a block of addresses, though.
As I said above, so long as you can provide justification for the need, most decent UK ISPs will give you a small subnet for free, even on home accounts. However, this wasn't the original arguement: The original arguement was that you do not need NAT for security (a connection tracking firewall does the job properly and without all the nasty side effects) and that once the IP address space problem is removed (e.g. through IPv6 roll out) you will neither need nor want NAT. NAT is a kludge that works for the short term but causes many problems - the sooner we can ditch it the better.
Correction. NAT is not as secure as any firewall. Period. NAT is not a security feature, its a convinience feature. NAT != Firewall.
... but I am not going to stop NAT'ing and/or PAT'ing my internal network off of the rest of the net no matter what verion of ipv they want to implement. I only need 1 real world IP. I only WANT 1 real world IP.
/48 IPv6 subnet on the 6-to-4 system if they bother to turn it on. (By far the best way to roll out IPv6 support would probably be for MS to do this by default on Windows since then you would end up with millions of machines which have just defaulted to using it). Of course a big problem for the IPv6 roll out is that almost no consumer-grade DSL routers natively support it, so at least the PC to ISP part has to be tunnelled over IPv4, even if the ISP were to natively support IPv6.
Correct - using NAT as security involves relying on hardware you don't control doing something that's reasonably undefined. Specifically: if you have a windows machine on 192.168.0.1 behind a NATting router and the ISP decides to route traffic for 192.168.0.1 to your router, you router will quite happilly forward it on. (Unlikely to happen, but IMHO relying on an ISP to do what you preceive as "the right thing" is bad security).
I don't know about you
Why? The *only* reason for using NAT/PAT is to relieve the IP address shortage. Under IPv6 this will nolonger be needed so it is far more sensible to give every machine a real address and control access with a firewall. Indeed, ip6tables doesn't even support NAT because it is not required, nor usually wanted. (Ever tried to run H.323 over a NAT?)
And in answer to your question - I already use IPv6, all my machines have real world IPv6 addresses and I do no NAT on IPv6 traffic. I do, obviously, have an IPv6 firewall to control access. Of course, even now, everyone with an IPv4 address automatically has a
Scans that a router running NAT would block.
Argh! Why does everyone keep talking about how wonderfully secure NAT is? NAT is just as secure as a connection tracking firewall, and far more troublesome. Hopefully when IPv6 eventually gets rolled out it will change people's views since NAT won't be needed (or wanted) anymore.
No, 1.4 + 1.4 = 2.8
Where 1.4 gets rounded down to 1 and 2.8 gets rounded up to 3, giving you 1+1=3
But - a simple router with NAT helps immensly.
You don't need NAT (and if/when IPv6 goes mainstream you won't want NAT). All you need is a connection tracking firewall.
It's great that we can download stuff off the net... but in reality that could hurt the possibility of a second season.
The TV companies, MPAA, etc always complain bout people downloading episodes/movies from the net before they've been release in the respective country (hell, they even complain about people in a country where a series has been shown spoiling plot-lines for people in countries where it hasn't shown). This, of course, is one of the main reaons for the regionalisation of DVDs... not that it does any good since anyone who was going to import stuff will have deregionalised their player anyway.
Here's a stunning thought, and I'm sure noone at the TV companies or MPAA have thought about it... How about they release the series and films at the same time across the world. I'm sorry, but if you release a series in one country 6 months before it's release in another, I think you can expect people to get impatient and download it.
The difference of course with Galactica is that it's all reversed - usually in the UK we have to wat over 6 months for TV shows to come over from the US, now the US is getting a taste of what we have to put up with all the time.
Having said that, and to stay slightly on topic: my view of the new Galactica (which they keep describing as totally action packed in the trailors) is that there isn't enough action and it's taking rather too long for the story to develop. I can quite see people losing interest in it - nowhere near as good as FireFly which had a very good balance between action and story IMHO... Hey, we haven't even seen anyone flying a Viper in the last few episodes, and Baltar's imaginary cylon has been plain annoying from the start.
I'm sorry, but you do need a firewall. It can be software, and it can be one that doesn't ask you which apps can access the internet. But why would you put a naked machine on the internet with no firewall whatsoever?
If you have a firewall to block access to specific services, why have you got those services running in the first place?
A firewall is useful as a fail safe (i.e. you have to screw up the configuration of both the firewall and the services before you open a security hole), but if you're using it entirely to protect you instead of making sure your services are configured properly then you're stupid.
However, from the know-nothing consumer point of view, I think it's fair to expect that *someone* would have taken care of it.
From the customer point of view I would expect that the OS vendor would've made the default configuration of the services sane (i.e. which services are actually enabled by default and where they will accept connections from). As I said above, the only reason for having a firewall on a stand alone machine connected to the internet is as a fail safe, and that inherently means you have 2 independent controls to do essentially the same job (one to enable the service, another to poke holes in the firewall), which IMHO would not be considered user friendly by the user interface people.
If it's a ISP issue, your cable company.
I don't see how the ISP can be held responsible for you plugging an unsecured machine into the internet - that's like suing the council who own your road because they let some burglars up the road to your house which you had neglected to lock. The ISP really is no place to be doing default filtering since the very things you're filtering might actually be needed by some people so long as those people have set it up ok and understood the risks. A perfect example is SMTP - you might suggest the ISP blocks all direct SMTP connections to reduce spam and viruses transmitted by email, but some of us have securely configured SMTP systems and *do* want to use direct SMTP.
know-nothings are still somehow slipping through the cracks and their computers are getting hosed by malware.
Maybe the ISPs should offer an installation service in which they will come out to visit you and install the internet connection (together with correctly configuring your machine). Of course there is inherently cost here and I question the quality of the network engineers that many ISPs would use.
A big problem is that people want something for nothing (or at least very little) - many people would pay a mechanic to change the oil in their car, but wouldn't pay someone to configure their internet connection. If you tried to change your own oil and you under-filled the engine and caused massive damage, you wouldn't blame the engine manufacturer or the oil manufacturer would you? People have to learn where to place blame - if you don't know enough to configure the computer yourself, you can't try anyway and then blame anyone and everyone when it goes wrong.
I think it's fair for consumers to expect that, after paying all this money to tall these different people, they'd have a trouble-free means of accessing the internet.
Yes and no - I think it is fair to expect that the computer they pay for is usable and as secure as possible by default, but I don't believe it is the manufacturer or the ISP's fault when someone decides they want to turn their mail service into an open relay, and I don't believe the ISP is the place to do the majority of filtering.
It is as much about psychology, the art of the con, how cleverly you bait the trap, as it is about the technology of a particular O/S. So long as a user can install an executable, there will always be a way in.
This is true. However, a large proportion of Windows spyware is installed through security holes, and this is where education can't help (short of educating people not to use such broken software).
I think The Register got it spot on - MS are selling a toaster that will frequently catch fire (with a licence agreement that makes sure they're not held responsible) and then giving you a free fire extinguisher to stop your house burning to the ground when it does.
Why does MS get away with it, whereas anyone actually selling a toaster that frequently bursts into flames would be sued into the ground?
Even if your computer isn't vulnerable, you're still paying in terms of the bandwidth used up, both from machines outside the ISP sending virus mail into the network, and compromised machines within the network wasting outgoing bandwidth.
IMHO what should be happening (and I have no objection to this) is that the ISP detects compromised hosts on their own network and kicks them off until they're fixed. I don't honestly see a huge advantage in scanning inbound traffic in the same way - the bandwidth has already been used by the virus getting to the ISP, once inside the ISP's core network the bandwidth is essentially free. DSL lines aren't charged on a per-byte basis, and the amount of traffic caused by a virus arriving over a DSL line is reasonably small, certainly not enough to warrant paying to have the bandwidth cap raised on the line.
Of course, there's absolutely no chance of a lot of ISPs doing this since many don't even respond to abuse reports.
Then explain AOL's prevelance (even if its marketshare is finally dropping).
I expect thats down to marketting and the gazillions of CDs sent out.
You wouldn't have to. Instead find yourself an ISP that advertises lower costs because it doesn't spend money on features useless to savvy users. The vast majority of people would be better off with the virus-scanning ISP. You'd be better off with the non-virus-scanning ISP.
Doesn't work like that - when the average user looks at 2 ISPs and one is cheaper, which do you think he'll choose? The answer is the cheaper one, even though they don't offer the best solution for him.... and then he'll bitch and moan about how crap his ISP is bacause it doesn't have a service that suits him.
Because you are the minority.
I'm afraid I don't see that as justification for me subsidising band-aids for people who insist on running a broken OS. I would be slightly more happy if that money went into subsidising the conversion of these people to a proper OS.
Well, I guess the same applies in reverse every time you visit a website running on Windows. Doesn't it?
:)
(Personally, I'd say "I don't think so..." to both cases)
I'd agree with the "I don't think so" comment... but more to the point I don't care if the windows machine running the website I'm visiting gets cracked
It's not my problem, I'm not clearing up the mess, and the only way it will affect me is that I might not be able to get to a useful website while they fix the problem.