I think most people who are on the short end of income equality would describe it as a problem. If you dispute that, why don't you go ask them? Be sure to dress down.
Having said that, whether it is "a problem" or not, it is the reason why our national scores are lower. Grading ourselves on a curve by excluding the scores of the large "underprivileged" group would allow us to pretend that we are doing comparably well to, say, Finland, but it won't actually mean that we are doing comparably well to Finland.
No, that's too simple. We actually are worse—we don't just look worse. But the reason we are worse is because we have a serious income inequality problem, not because our schools are bad.
No. However, in fact the IANA document references RFC6335, which talks about Private Ports, and mentions that they are also sometimes known as Ephemeral ports. And RFC6056 uses the term "ephemeral" preferentially. So you win this one, tepples.:)
But don't get too smug before you read section 3.2 of RFC6056. It was my understanding of current practice as codified by RFC6056 that led me to claim that there was no such thing as ephemeral ports.
However, I do apologize for not doing my reading before contradicting you—my response was incorrect.
You should do that too. I think they are part of the same problem: a complete lack of sensible prioritization on the part of the DoJ, and a complete failure on the part of Congress to help the DoJ by eliminating bad priorities like pot prohibition and suppression of dissent.
Wanted. They've already done it. And having done it, rolling out IPv6 to the end user was a relatively small incremental cost with a really big upside. They did really good work pioneering native IPv6 to the home—a lot of CPE device bugs got ironed out as a result of their efforts.
Attackers using botnets can afford to just spam every port and see what comes back. They don't have to wait for some host to open a hole in the NAT, because hosts are always opening holes in NATs, so if you do port scanning, you find holes. It doesn't mean that every time you open a hole in your NAT, the internet will jump through the hole. It just means that if you are in the habit of opening holes in your NAT (and you are), you will get attacked, and hence the claim that the NAT is a firewall is incorrect.
You're preaching to the converted on the end-to-end bit. I think CGN is a terrible idea, and the fact that it breaks end-to-end is one reason. But by no means the primary reason.
It's complicated. We're better off than countries where members of lower socioeconomic classes don't go to school. But our overall scores are lower than countries with better economic equality, because so many more of our citizens are in lower socioeconomic classes.
Doesn't mean they won't increase the limit for existing petitions. And in any case, it would be really great if this petition made it to 100k, because it would be taken more seriously. If not by the White House, then by the press, which has started paying attention to these petitions.
BitTorrent was one of the earliest protocols to start using IPv6, because it literally doesn't care. If there's a way to get IPv6 packets to a seeder, it does it. SIP works just fine with IPv6; the problem is that SIP providers typically don't yet support it. But it would be trivial for them to do so; the reason they haven't is that there's not enough market pressure on them yet. If there was a decent SIPPOTS provider that did IPv6, I'd drop my current provider in a hot second. Skype will probably never work with IPv6—the protocol has inherent dependencies on IPv4. In order to get IPv6 support to work on it, Microsoft would have to get everyone to upgrade, and that's not likely.
But none of this matters. The person who cares about how many service providers have IPv6 support is the person trying to justify deploying IPv6 at an ISP. That person cares most about how much traffic his or her employer can offload to IPv6 if they turn it up on their network. The amount of actual traffic that would be offloaded today is already enough to make that case. Yes, it would be great if everything supported it, but that's not necessary to make the transition worthwhile.
Put simply, IPv6 support reduces the pressure on the ISP's NAT solution. That saves them money. End of story.
(Note that most U.S. ISPs do not currently have an IPv4 address shortage, so this analysis doesn't apply to them yet. Comcast did the transition anyway, because, as I understand it, it made good business sense for them other reasons.)
Any connection you make through the NAT consumes a table entry (and a port) for a minimum of 90 seconds. This has nothing to do with network bandwidth—it's required by the protocol. A CGN that breaks this assumption will work most of the time, but will exhibit seriously flaky behavior some of the time. So just do the math—a NAT can support so many connections, and no more. You can't just continually increase the number of connections and hope for the best.
Can you name an ancient device that implements DHCP relay, and nothing else? No, of course not. That doesn't mean that a DHCP Relay Agent is a router. Similarly, the mere fact that you can't think of a router that doesn't also do firewalling and NAT doesn't mean that NATs are firewalls, or that firewalls are NATs. Use your logic, man. A->B != B->A!
No, again what you just said represents a fundamental misunderstanding of how NAT traversal works. Generally speaking, NATs _automatically_ open holes for incoming packets based on the behavior of the host inside the NAT. There's no reason to think a CGN couldn't do this. Any NAT-traversal mechanism that requires administrator action is essentially not going to happen, for the majority of internet users.
Of course, if you happen to be one of those savvy Internet users who actually sets up holes in your NAT on your CPE device, you're going to hate CGN, but you're very much in the minority.
The lack of any cited RFCs in the Wikipedia article, and the profusion of cited Microsoft Technet articles, should tell you what you need to know about the prevalence of this bit of terminology.
This petition, asking the White House to censure the prosecutor responsible for Aaron Swartz' felony case, will need a lot more signatures if they apply this standard to it. So now would be a good time to go sign it.
There's no such thing as an ephemeral port. Do you mean a "reserved port"?
It's true that penetration of the NAT requires cooperation of the host on the other side, but getting that cooperation is not hard. A bit of javascript will do it, as will a virus or trojan horse. You can also just scan ports on the assumption that some client is running something that's already punched a hole; chances are you will get through.
The bottom line is that depending on your CPE NAT for security is a really bad idea.
It's unlikely that they will deploy CGN, because the trial will probably fail. But if they do, they will still almost certainly do routing aggregation, so the IP address you get will likely be associated with the BRAS or concentrator closest to you. They won't be able to get pinpoint accuracy, but they will probably know what city you are in, if you are in a city.
Depends on the regulatory regime. In general, the answer is that there is a log. But this is one motivating factor for MAP-E and lightweight 4over6: entire port sets are allocated to clients, rather than just randomly allocating ports, so you just have to log who had what address and port set were allocated to who when, rather than logging every single translation.
snrk Have you seen how many transition technologies have been proposed at IETF? We originally assumed everyone would deploy dual stack and wait for IPv4 traffic to tail off, but that assumed deployment ten years ago, which didn't happen. Then we started looking at CGN about five or so years ago; the problem is that CGN depends on there being lots of IP addresses, and since then we've come up with better solutions that do a smarter job of distributing the state required to do nat. This is what MAP-E and lightweight 4over6 are. MAP-E and lightweight 4over6 are getting serious consideration by ISPs.
I don't disagree that there were a lot of egos involved in early IPv6 development, but we actually do have a solid transition suite, and people are deploying it. CGN is five-year-old technology that never saw widespread deployment, and probably never will.
ISPs have to cycle through equipment over time anyway, so this just means they aren't doing IPv6 in this cycle. But again, it's a trial, so really what they're doing is hoping that they can get away with not doing IPv6, but not committing to not doing IPv6. Which is actually pretty smart.
Slashdot Mirror
I think most people who are on the short end of income equality would describe it as a problem. If you dispute that, why don't you go ask them? Be sure to dress down.
Having said that, whether it is "a problem" or not, it is the reason why our national scores are lower. Grading ourselves on a curve by excluding the scores of the large "underprivileged" group would allow us to pretend that we are doing comparably well to, say, Finland, but it won't actually mean that we are doing comparably well to Finland.
I don't know of any classless societies where everyone is poor. Can you cite an example?
No, that's too simple. We actually are worse—we don't just look worse. But the reason we are worse is because we have a serious income inequality problem, not because our schools are bad.
Yes, exactly. That's even shorter than my short version! :)
No. However, in fact the IANA document references RFC6335, which talks about Private Ports, and mentions that they are also sometimes known as Ephemeral ports. And RFC6056 uses the term "ephemeral" preferentially. So you win this one, tepples. :)
But don't get too smug before you read section 3.2 of RFC6056. It was my understanding of current practice as codified by RFC6056 that led me to claim that there was no such thing as ephemeral ports.
However, I do apologize for not doing my reading before contradicting you—my response was incorrect.
You should do that too. I think they are part of the same problem: a complete lack of sensible prioritization on the part of the DoJ, and a complete failure on the part of Congress to help the DoJ by eliminating bad priorities like pot prohibition and suppression of dissent.
Wanted. They've already done it. And having done it, rolling out IPv6 to the end user was a relatively small incremental cost with a really big upside. They did really good work pioneering native IPv6 to the home—a lot of CPE device bugs got ironed out as a result of their efforts.
Attackers using botnets can afford to just spam every port and see what comes back. They don't have to wait for some host to open a hole in the NAT, because hosts are always opening holes in NATs, so if you do port scanning, you find holes. It doesn't mean that every time you open a hole in your NAT, the internet will jump through the hole. It just means that if you are in the habit of opening holes in your NAT (and you are), you will get attacked, and hence the claim that the NAT is a firewall is incorrect.
You're preaching to the converted on the end-to-end bit. I think CGN is a terrible idea, and the fact that it breaks end-to-end is one reason. But by no means the primary reason.
Coulda fooled me.
It's complicated. We're better off than countries where members of lower socioeconomic classes don't go to school. But our overall scores are lower than countries with better economic equality, because so many more of our citizens are in lower socioeconomic classes.
Doesn't mean they won't increase the limit for existing petitions. And in any case, it would be really great if this petition made it to 100k, because it would be taken more seriously. If not by the White House, then by the press, which has started paying attention to these petitions.
BitTorrent was one of the earliest protocols to start using IPv6, because it literally doesn't care. If there's a way to get IPv6 packets to a seeder, it does it. SIP works just fine with IPv6; the problem is that SIP providers typically don't yet support it. But it would be trivial for them to do so; the reason they haven't is that there's not enough market pressure on them yet. If there was a decent SIPPOTS provider that did IPv6, I'd drop my current provider in a hot second. Skype will probably never work with IPv6—the protocol has inherent dependencies on IPv4. In order to get IPv6 support to work on it, Microsoft would have to get everyone to upgrade, and that's not likely.
But none of this matters. The person who cares about how many service providers have IPv6 support is the person trying to justify deploying IPv6 at an ISP. That person cares most about how much traffic his or her employer can offload to IPv6 if they turn it up on their network. The amount of actual traffic that would be offloaded today is already enough to make that case. Yes, it would be great if everything supported it, but that's not necessary to make the transition worthwhile.
Put simply, IPv6 support reduces the pressure on the ISP's NAT solution. That saves them money. End of story.
(Note that most U.S. ISPs do not currently have an IPv4 address shortage, so this analysis doesn't apply to them yet. Comcast did the transition anyway, because, as I understand it, it made good business sense for them other reasons.)
Any connection you make through the NAT consumes a table entry (and a port) for a minimum of 90 seconds. This has nothing to do with network bandwidth—it's required by the protocol. A CGN that breaks this assumption will work most of the time, but will exhibit seriously flaky behavior some of the time. So just do the math—a NAT can support so many connections, and no more. You can't just continually increase the number of connections and hope for the best.
Can you name an ancient device that implements DHCP relay, and nothing else? No, of course not. That doesn't mean that a DHCP Relay Agent is a router. Similarly, the mere fact that you can't think of a router that doesn't also do firewalling and NAT doesn't mean that NATs are firewalls, or that firewalls are NATs. Use your logic, man. A->B != B->A!
No, again what you just said represents a fundamental misunderstanding of how NAT traversal works. Generally speaking, NATs _automatically_ open holes for incoming packets based on the behavior of the host inside the NAT. There's no reason to think a CGN couldn't do this. Any NAT-traversal mechanism that requires administrator action is essentially not going to happen, for the majority of internet users.
Of course, if you happen to be one of those savvy Internet users who actually sets up holes in your NAT on your CPE device, you're going to hate CGN, but you're very much in the minority.
The lack of any cited RFCs in the Wikipedia article, and the profusion of cited Microsoft Technet articles, should tell you what you need to know about the prevalence of this bit of terminology.
Crap, broken link. This one should work.
This petition, asking the White House to censure the prosecutor responsible for Aaron Swartz' felony case, will need a lot more signatures if they apply this standard to it. So now would be a good time to go sign it.
There's no such thing as an ephemeral port. Do you mean a "reserved port"?
It's true that penetration of the NAT requires cooperation of the host on the other side, but getting that cooperation is not hard. A bit of javascript will do it, as will a virus or trojan horse. You can also just scan ports on the assumption that some client is running something that's already punched a hole; chances are you will get through.
The bottom line is that depending on your CPE NAT for security is a really bad idea.
If it doesn't, the customer will be pretty pissed off, because a lot of services they're accustomed to using (e.g., Skype) will start failing.
If anything there are too many transition technologies, not too few.
It's unlikely that they will deploy CGN, because the trial will probably fail. But if they do, they will still almost certainly do routing aggregation, so the IP address you get will likely be associated with the BRAS or concentrator closest to you. They won't be able to get pinpoint accuracy, but they will probably know what city you are in, if you are in a city.
Depends on the regulatory regime. In general, the answer is that there is a log. But this is one motivating factor for MAP-E and lightweight 4over6: entire port sets are allocated to clients, rather than just randomly allocating ports, so you just have to log who had what address and port set were allocated to who when, rather than logging every single translation.
snrk Have you seen how many transition technologies have been proposed at IETF? We originally assumed everyone would deploy dual stack and wait for IPv4 traffic to tail off, but that assumed deployment ten years ago, which didn't happen. Then we started looking at CGN about five or so years ago; the problem is that CGN depends on there being lots of IP addresses, and since then we've come up with better solutions that do a smarter job of distributing the state required to do nat. This is what MAP-E and lightweight 4over6 are. MAP-E and lightweight 4over6 are getting serious consideration by ISPs.
I don't disagree that there were a lot of egos involved in early IPv6 development, but we actually do have a solid transition suite, and people are deploying it. CGN is five-year-old technology that never saw widespread deployment, and probably never will.
ISPs have to cycle through equipment over time anyway, so this just means they aren't doing IPv6 in this cycle. But again, it's a trial, so really what they're doing is hoping that they can get away with not doing IPv6, but not committing to not doing IPv6. Which is actually pretty smart.