Please go reread my original post, I NEVER EVER claimed it guaranteed any quality or whatever, I said that the BBC can broadcast things without the guarantee that it will brign in many viewers because they do not depend on advertisement income.
> BBC television these days is as dumbed down stupid and awful as any of the commercial stations.
I happen to live in the Netherlands, and am getting (among others) both commercial and public TV from the following countries:
the Netherlands (3 public stations and like 7 or 8 commercial ones) UK. (BBC 1, 2, news24, bbc world service and a number of comemrcial stations) France (public tv and a commercial station) Belgium (2 public stations and 3 or so commercial ones) Germany (3 public stations and a bunch of commercial ones) Greece (1 commercial station) Italy (2 public and a commercial station) USA (various news and entertainment stations, so not just CNN) Turkey (1 commercial station) Japan (no idea, can't follow a thing of it, but there is a japanese station on cable here) China (same, no idea since I can't follow it at all, but its there)
The BBC is in the absolute top with regards to quality when compared to all other channels that I can get. Do they have lots of mainstream 'no brains' entertainment as well? sure, but they also do have decent and in-depth talkshows and news and backgrounds, (popular) scientific programs that actually are more then a bunch of 'hidden' commercials and educational programs.
So, compared to others they simply do a lot better, and on average, compared to esp. stations from the USA and Asia, the European stations do relatively well in quality.
So honestly, I don't know where you are comming from with your comment, care to tell what you compare it to or what kind of standard you'd like to see for quality?
> and for some reason the only one with outrageous shipping cost and time is the German one. Quite odd.
Long live Deutsche Post and their freaking 12+ euro for shipping a package to the USA, for which uyou wont get insurance or airmail.. think about 20+ euro for that. THe first method will take anywhere between 1 and 3 weeks, the later anywhere between 2 and 5 days (information as I got it from one of the main post offices in Berlin 3 weeks ago)
Competition? Hardly there, they managed so far to use regulations to keep most competition out.
So well, you could as well use a private carrier for delivery, it will eb abotu as expensive, and they guarantee much better delivery times and such.
So.. there is why ordering from amazon.de costs you that much.
One of the best things about public TV as it seems to work in the UK and other parts of Europe is that it is not some kind of popularity contest where all that really counts is how many eyeballs will get to see the next advertisement.
This results in also making programs for quality and making and broadcasting more experiemntal things without a 'guarantee' to get viewers.
THere is a lot to say for both approaches (comemrcial and public) btw, I see them more as complementary then in competition with eachother.
I do wonder tho why it seems this does not work like that in the USA (at least, that is my impression from having been there, and from what people keep telling me)
> Yes. They're all die-hard socialists, those animals.
Contrary to popular belief, you do not have to be a die-hard socialist to do things for the good of the group.
> They all took philosophy classes, decided to become utilitarians, and are having gentlemanly wrestling contests to determine who should have offspring. They subjugate their will for the good of the pack, not for the benefit of the alpha male. Nosirree.
If it wouldn't work in the advantage of the group, it would have died out a logn time ago.
They do not have to take philosphy classes or decide on it consiously, their pack will be eliminated from the gene pool over time if they do not serve the good of the group.
That is also the big difference, humans try to ignore or overrule such things, and are capable of that to some extent. Most animals don't do this (and are not capable of it)
Hmm... I might be mistaken, but it seems to me the GPL requires that the source code comes in a usable form, so I don't think your loophole will work really.
> The laywers may say it's a good case, but I always say "Don't hold hot coffee in your lap." I myself spilled scalding coffee on my lap. I did not sue, but I think I learned a valuable lesson in life that I carry with me to this very day.
Heh, I completely agree, regardless of if the coffee was too hot, it is still simply stupid and asking for problems to hold a drink on your lap of which you simply know it is at least very warm (if not hot). A reason why even people who are aware of the case still point at it is similar to why quite a few people think that claims against tobaco companies are bullshit. (I disagree with them in part, but only for as far as it concerns those companies actually knowing their products were dangerous and trying to hide that. That should be dealt with, but it hardly gives individuals the right to sue them, get yourself informed damnit)
People supposedly have a brain and should be expected to use it and take some responsibility for their own behavior instead of tryign to blame others and sue.
That said, you'll have to live with a society in which things like that coffee case can happen, and as long as that is the case, you better keep it in mind.
> But if manufacturers start building in IPv6 support (many already have), then there will at least come a point when a change to ipv6 can be made without users having to buy all new equipment.
Yep, and what is more, this could happen inititally without the end-user having to know about it.
It is relatively easy to sell them on packaged applications:)
THe idea of everyone being able to create and publish content.. well, NAT can be an issue in that, but I think the so called 'slashdot effect' is a good demonstration of why at least for lots of the currently popular protocols this is not going to work very well regardless of that.
This of course is solvable by p2p like networks where such a load can be shared.
Those do exist... and people use them... but all most people seem to 'publish' is other people's work and usually without concent of the owner
If I am a bit more serious about publishing nowadays, I go rent an account on a shared server for a few dollars, get myself a dedicated or virtual dedicated server for a bit more.. or if I don't want to spend any money on it, get myself a free weblog or 'homepage'.
Alternatively, I run a server on the single ip that I get from my provider (yeah, they do allow running servers with some exceptions in my case)
I need more then one webserver? the single ip is only going to be a problem there if I need to support https or similar on more then one site, but multiple physical servers is no problem, all you need for it is a reverse proxy (or similar application specific proxy).
Yeah, it is yet another kludge (tho a very usefull one for a lot of reasons betond sharing an ip betweenmultiple physical servers), and that is the real problem with IPv4, it requires too many kludges to remain viable on the logn term.
It is too bad that none of those kludges themselves seem to be a convincing enough argument for changing.
Hmm, you are correct with regards to forwarding, which can be an issue when you share bandwidth with others indeed and to prevent that a block rule in a packet filter is needed. You are still using the state-keeping of NAT to actually decide what to pass and what not, which in most cases requires no user configuration and is transparant.
I know that ipv6 solves this as well, and arguably in a better way. Question remains if it is a problem that isn't already sufficiently solved for the end user (abeit in a technically uggly way)
I also know you can build this without NAT, but that will require user configuration to work.
voip is the one consumer application that might indeed appeal enough to the average user to create a customer demand for IPv6.. tho, what they will be going to ask for is this 'voip upgrade' and many won't ever know it means they'll switch to v6 (or even have a clue that it exists, let alone what it is)
> No, in fact it does not, I assure you. Read RFCs 1631 and 2663. Specificly, read section 9 of RFC 2663 which instructs you to use a firewall to filter out bad stuff.
Yes, and that is good advice. NAT is not INTENDED as ip filter.
But lets take a look at the typical NAT implementation we are talking about:
Outgoing packets on the public interface get their source address translated and cause the nat device to create or modify an entry in a state table.
Incomming packets are matched against that state tabel to see if they relate to any known connection and if so, passed after translating their destination address.
Incomming packets are also matched against an optional list of 'reverse mappings'.
Anything that does not match either is not translated and not forwarded.
So... it selectively translates and forwards packets. That is not a filter?
Is it a very good filter? that depends on your needs, and one thing it will definitely not do is protect the actual machine it is running on from anything. It is also not very configurable.
Hence, you should not use it alone and think you have a good ip filter.
That said, simply because of the way it functions it is also implicitly a state-keeping ip filter that happens to be rather good (tho very inflexible) at its job.
> And once you've read that, read this thread [slashdot.org] for more information and specific examples of how and why NAT won't filter anything.
As I have just shown you, NAT does filter things in its typical implementation.
> And in that case I really suggest that users of those firewalls use something else, because NAT isn't solving their problem.
That depends on what 'the problem' is.
Solve all their security problems? definitely not. Protect the internet from malware running on those pcs, or at the very least prevent malware from infecting the PC? The later to some extent.
What it does solve is the simple problem that you cannot connect a new machine to the internet and get yourself all the software to properly protect the machine because your machien will be infected before you can finish.
It is not the best way to solve their problem, but it definitely does solve the problem for most people in a perfectly acceptabel way and without the need for any knowledge whatsoever.
That they have a whole bunch of problems left besides the simple one of not allowing outside connections to their client is an entirely different thing but they cannot even start solving that if they cannot get the required updates and extra software without getting infected.
Now, let me quote from the introduction of the thread on Slashdot that you rfered me to:
> Again, NAT does not enhance security. It just doesn't. I don't understand why people think it does. The thing that enhances security is your firewall. So instead of pretending like you get security because connections aren't mapped in, you ship home routers with a rule that says no connections may be established from the ``outside'' to the ``inside.'' Done. Then when someone wants an incoming connection, they tell the firewall to allow it.
So, what is said here is that you can do the exact same filtering without nat. That is absolutely true, but in no way says that NAT is NOT doing that, in fact it says you do the same but without the need for NAT.
Before it and after it the author of that bit rants on about how NAT is not providing any security, and goes on saying that NAT is evil and a problem for the internet without ever providing an argument as to why.
NAT has some serious problems indeed, but those mostly concern ipsec and hosting.
The thing is that some people want IPv6, often for good technical reasons, but those reasons just do not appeal at all to the average user. NAT gets around the one prblem that would sortof reach the average user still, and as such is declared evil by IPv6 fanatics. Yes, it does have problems, just not for the large majority of its users.
Yes it is, it is also a real problem for as far as the introduction of IPv6 goes.
This simply means that different arguments are needed to get people to switch, and in fact, most people don't have to switch consiously, they could just get it enabled by default on the next PC they buy (this leaves a problem with dsl and cable modems, this is something an isp should handle I think)
The introduction of IPv6 is something that needs to be done by ISPs and the producers of networking hardware and software.
There are those who prefer building and configuring their own computers and there are those who do not want to bother with that and rely on pre-installed systems with 'plug and play' internet connectivity.
Those who prefer building their own stuff will have to consiously switch, and I bet that a substantial part of the Slashdot crowd is among those.
Most home users are in the later catagory however.
> As it is, hosting is inaccessible to the average person because it's difficult, in part by the lack of addresses.
Hmm, I wonder if it is such a bad thing that hosting is relatively difficult (not that that is a good excuse for having a lack of addresses and hence difficuty with getting extra ones)
Most people are not capable or willing to keep a single client machien secure, let alone a couple of devices that run some kind of internet server.
More IP space for the average user could be nice to have and indeed opens up all kinds of applications.
But most people will not even hear about those things untill they are tried and tested and already accepted by those whom they consider knowledgable on the issue.
So the argument is simply not going to appeal to, or even reach the average user, and nor should it untill after they already have it (probably without even knowing it)
There are many valid arguments to make for replacing IPv4, but most of those are of interest to those whop want to host their own things or deal with the infrastructure of the internet.
For the average end user those things wont matter untill they can get the applications in a nicely packaged way that doesn't require reading a manual.
Well, unless you configure it otherwise, it does in fact filter any connections comming from the outside.
A firewall is a barrier between 2 networks.. if it is a routing firewall it might indeed be filtering things. THere are other types of firewall as well. An ip filter does not make a firewall in itself, and is not a required (tho a very usefull in many cases) component of a firewall.
Then, regarding NAT and acting as a firewall..
I really suggest you go take a peek at the quality of state-keeping in the majority of consumer grade firewall packages (and don't give me iptables or pf or ipf or ipfw, while available to many people, those are not consumer grade firewalls, we are talking about ZoneAlarm and friends, the stuff that the large majority of peopel with computers can or did install) then you might just start to see why a very simple router that does NAT results in a better firewall then many such packages on their own.
> What's neat is IPv6 does away with DHCP and BOOTP in almost exactly this manner. An IPv6 Address is subdivided into two addresses.
While informative in itself, what is the exact point of your explanation in this specific discussion?
The argument being made was that NAT was a problem, which I countered with pointing out that for most people NAT solves a problem instead of being one.
Yes there are other solutions to that problem as well, including IPv6.
For most people there is no need to replace a good enough solution with a possibly better one unless they actually get something for it that compensates the efford of getting the better then good enough solution.
> Which is one more step than a NAT box requires (for the same functionality as far as the home luser is concerned).
Uh yes, but one more step doesn't exactly make for a very complicated router setup. They already have to fill out a box with their username and password. I really do not see why there would be a problem in filling in a 3rd field (the contents of which are provided by the ISP just like the rest)
Argument was that nat makes it a lot easier, well, it makes it easier but not a lot. I didn't think that was that hard to understand really was it?
I do my own hosting and am quite aware of why people may want more then one address, but that is really not something that applies to the huge majority of people.
Hence, it is also not a convincing argument for most people.
A router such as you describe could be made almost plug and play. Basicly, all the end user would have to do is tell it the prefix of their local network, everything else can be auto configured at least in theory.
(this is only really true if all you need is connect a single subnet to a remote network)
> Do you use NAT (a home router)? > Blame your IPv4-based ISP for not having enough > address space for you.
For most peopel NAT actually solves a problem instead of being one.
Yeah, for some people it would be nice to be able to have their toaster online and reachable through the internet as well, and lack of addresses can make that difficult, but most people do not have a big urge to do such things.
They do however have a problem with their computer and an unfiltered internet connection.
A router that does NAT happens to function as a pretty good ip filter with state-keeping that is extremely easy to configure.
> Do you run a web-hosting company? > You probably know how expensive address space > is.
Yep, sadly enough, IPv6 sounds more advanced, and thus will be more expensive. The people who market the stuff have absolute controll over the supply so can set a price as they like.
> Pine... pine. Ah yes, I have that filed beside Elm and Mutt under "applications no newbie desktop Linux user will ever run, or even hear of".
I tend to agree with regards to Mutt and maybe elm..
But most non technical people that I know that have somne experience with using Unix/Linux have seen Pine, if only coz usually the first Ubnix/Linux installation they happen to have used are university shell servers probably.
Yeah, I also found they want it on their desktop machine because it is easy to use and fast.
I think you are mistaken with regards to non technical users and using pine..
But one would hope that most people end up using something else on their desktop Linux machine, and probably they do.
Re:Not all problems are solvable
on
Security Alert
·
· Score: 1
> Well Windows' security might not be managable by a normal computer, but there seem to be a whole lot of people surviving just fine with an OS that was designed to be secure and easily usable...
You mean Linux (or Unix in general) ?
Easy to use for a realtively technical person? sure. When properly setup, it can even be easy to use for non tech users.
Securable by someone who isn't technically inclined? come back when you have non technical users understand things like init, rc scripts and the like. Who is going to be able to judge if whatever process is actually supposed to be there? Joe Sixpack?
Parent was refering to a security model that Joe Sixpack understands, not one that is understandable to soemoen who is actually seriously interested in the thing.
Compare: You want to keep your house secure? You lock everything that might be used to enter it. Optionally, you install an alarm system.
You want to keep your computer secure? (content of a book should follow, left out due to time and space considerations)
Or do you mean OS X?
Easy to use for the average person? no doubt about it. Easy to secure? see the part about Linux/Unix, for most parts OS X is not really different.
> Can anyone name a Linux mailreader which will automate the process of running an executable attachment by clicking on it?
Not as such.
I do know of a popular Unix based mail client that also runs on Linux. This mail client has had so many security problems that would allow running arbitrary code (and that judging from its coding style is likely to contain quite a few undiscovered/unpublished ones still), that running attachments is not really needed.
The program is called Pine.
Re:Own a computer, own a car
on
Security Alert
·
· Score: 2, Insightful
> Blaming the software is like gun control, guns don't kill people, people kill people.
The software was sold for use in a system that can't afford downtime, especially unexpected downtime.
Whomever sold that software for that purpose as well as the people who bought it are to blame.
It is not like it is unknown that Windowss (any version) is one fo those systems that is not suitable for that (definitely not the only one).
Having some guy reboot such a system once a month to prevent it from crashing is like using duct tape to keep your car together.. sure, it will work for a while, but it is bound to fail, and as such can be no more then an emergency measure.
Slashdot Mirror
Hmm, interesting one.. tho I doubt it will work everywhere (if at all, that is going to be a court decision at some point I guess)
> No. It doesn't guarantee any such thing.
Please go reread my original post, I NEVER EVER claimed it guaranteed any quality or whatever, I said that the BBC can broadcast things without the guarantee that it will brign in many viewers because they do not depend on advertisement income.
> BBC television these days is as dumbed down stupid and awful as any of the commercial stations.
I happen to live in the Netherlands, and am getting (among others) both commercial and public TV from the following countries:
the Netherlands (3 public stations and like 7 or 8 commercial ones)
UK. (BBC 1, 2, news24, bbc world service and a number of comemrcial stations)
France (public tv and a commercial station)
Belgium (2 public stations and 3 or so commercial ones)
Germany (3 public stations and a bunch of commercial ones)
Greece (1 commercial station)
Italy (2 public and a commercial station)
USA (various news and entertainment stations, so not just CNN)
Turkey (1 commercial station)
Japan (no idea, can't follow a thing of it, but there is a japanese station on cable here)
China (same, no idea since I can't follow it at all, but its there)
The BBC is in the absolute top with regards to quality when compared to all other channels that I can get. Do they have lots of mainstream 'no brains' entertainment as well? sure, but they also do have decent and in-depth talkshows and news and backgrounds, (popular) scientific programs that actually are more then a bunch of 'hidden' commercials and educational programs.
So, compared to others they simply do a lot better, and on average, compared to esp. stations from the USA and Asia, the European stations do relatively well in quality.
So honestly, I don't know where you are comming from with your comment, care to tell what you compare it to or what kind of standard you'd like to see for quality?
> and for some reason the only one with outrageous shipping cost and time is the German one. Quite odd.
Long live Deutsche Post and their freaking 12+ euro for shipping a package to the USA, for which uyou wont get insurance or airmail.. think about 20+ euro for that. THe first method will take anywhere between 1 and 3 weeks, the later anywhere between 2 and 5 days (information as I got it from one of the main post offices in Berlin 3 weeks ago)
Competition? Hardly there, they managed so far to use regulations to keep most competition out.
So well, you could as well use a private carrier for delivery, it will eb abotu as expensive, and they guarantee much better delivery times and such.
So.. there is why ordering from amazon.de costs you that much.
One of the best things about public TV as it seems to work in the UK and other parts of Europe is that it is not some kind of popularity contest where all that really counts is how many eyeballs will get to see the next advertisement.
This results in also making programs for quality and making and broadcasting more experiemntal things without a 'guarantee' to get viewers.
THere is a lot to say for both approaches (comemrcial and public) btw, I see them more as complementary then in competition with eachother.
I do wonder tho why it seems this does not work like that in the USA (at least, that is my impression from having been there, and from what people keep telling me)
> Yes. They're all die-hard socialists, those animals.
Contrary to popular belief, you do not have to be a die-hard socialist to do things for the good of the group.
> They all took philosophy classes, decided to become utilitarians, and are having gentlemanly wrestling contests to determine who should have offspring. They subjugate their will for the good of the pack, not for the benefit of the alpha male. Nosirree.
If it wouldn't work in the advantage of the group, it would have died out a logn time ago.
They do not have to take philosphy classes or decide on it consiously, their pack will be eliminated from the gene pool over time if they do not serve the good of the group.
That is also the big difference, humans try to ignore or overrule such things, and are capable of that to some extent. Most animals don't do this (and are not capable of it)
Hmm... I might be mistaken, but it seems to me the GPL requires that the source code comes in a usable form, so I don't think your loophole will work really.
> The laywers may say it's a good case, but I always say "Don't hold hot coffee in your lap." I myself spilled scalding coffee on my lap. I did not sue, but I think I learned a valuable lesson in life that I carry with me to this very day.
Heh, I completely agree, regardless of if the coffee was too hot, it is still simply stupid and asking for problems to hold a drink on your lap of which you simply know it is at least very warm (if not hot). A reason why even people who are aware of the case still point at it is similar to why quite a few people think that claims against tobaco companies are bullshit. (I disagree with them in part, but only for as far as it concerns those companies actually knowing their products were dangerous and trying to hide that. That should be dealt with, but it hardly gives individuals the right to sue them, get yourself informed damnit)
People supposedly have a brain and should be expected to use it and take some responsibility for their own behavior instead of tryign to blame others and sue.
That said, you'll have to live with a society in which things like that coffee case can happen, and as long as that is the case, you better keep it in mind.
> and then link it into your proprietary code, arguing that the library came with the OS and you are therefore allowed to.
Just wondering, isn't this exactly what is the case with some binary only apps on Linux?
I did hear quite a few objections against such binary only apps, but not that they were illegal from a licensing point of view.
> But if manufacturers start building in IPv6 support (many already have), then there will at least come a point when a change to ipv6 can be made without users having to buy all new equipment.
:)
Yep, and what is more, this could happen inititally without the end-user having to know about it.
It is relatively easy to sell them on packaged applications
NAT is a trade-off, definitely.
THe idea of everyone being able to create and publish content.. well, NAT can be an issue in that, but I think the so called 'slashdot effect' is a good demonstration of why at least for lots of the currently popular protocols this is not going to work very well regardless of that.
This of course is solvable by p2p like networks where such a load can be shared.
Those do exist... and people use them... but all most people seem to 'publish' is other people's work and usually without concent of the owner
If I am a bit more serious about publishing nowadays, I go rent an account on a shared server for a few dollars, get myself a dedicated or virtual dedicated server for a bit more.. or if I don't want to spend any money on it, get myself a free weblog or 'homepage'.
Alternatively, I run a server on the single ip that I get from my provider (yeah, they do allow running servers with some exceptions in my case)
I need more then one webserver? the single ip is only going to be a problem there if I need to support https or similar on more then one site, but multiple physical servers is no problem, all you need for it is a reverse proxy (or similar application specific proxy).
Yeah, it is yet another kludge (tho a very usefull one for a lot of reasons betond sharing an ip betweenmultiple physical servers), and that is the real problem with IPv4, it requires too many kludges to remain viable on the logn term.
It is too bad that none of those kludges themselves seem to be a convincing enough argument for changing.
Hmm, you are correct with regards to forwarding, which can be an issue when you share bandwidth with others indeed and to prevent that a block rule in a packet filter is needed. You are still using the state-keeping of NAT to actually decide what to pass and what not, which in most cases requires no user configuration and is transparant.
I know that ipv6 solves this as well, and arguably in a better way. Question remains if it is a problem that isn't already sufficiently solved for the end user (abeit in a technically uggly way)
I also know you can build this without NAT, but that will require user configuration to work.
voip is the one consumer application that might indeed appeal enough to the average user to create a customer demand for IPv6.. tho, what they will be going to ask for is this 'voip upgrade' and many won't ever know it means they'll switch to v6 (or even have a clue that it exists, let alone what it is)
> No, in fact it does not, I assure you. Read RFCs 1631 and 2663. Specificly, read section 9 of RFC 2663 which instructs you to use a firewall to filter out bad stuff.
Yes, and that is good advice. NAT is not INTENDED as ip filter.
But lets take a look at the typical NAT implementation we are talking about:
Outgoing packets on the public interface get their source address translated and cause the nat device to create or modify an entry in a state table.
Incomming packets are matched against that state tabel to see if they relate to any known connection and if so, passed after translating their destination address.
Incomming packets are also matched against an optional list of 'reverse mappings'.
Anything that does not match either is not translated and not forwarded.
So... it selectively translates and forwards packets. That is not a filter?
Is it a very good filter? that depends on your needs, and one thing it will definitely not do is protect the actual machine it is running on from anything. It is also not very configurable.
Hence, you should not use it alone and think you have a good ip filter.
That said, simply because of the way it functions it is also implicitly a state-keeping ip filter that happens to be rather good (tho very inflexible) at its job.
> And once you've read that, read this thread [slashdot.org] for more information and specific examples of how and why NAT won't filter anything.
As I have just shown you, NAT does filter things in its typical implementation.
> And in that case I really suggest that users of those firewalls use something else, because NAT isn't solving their problem.
That depends on what 'the problem' is.
Solve all their security problems? definitely not.
Protect the internet from malware running on those pcs, or at the very least prevent malware from infecting the PC? The later to some extent.
What it does solve is the simple problem that you cannot connect a new machine to the internet and get yourself all the software to properly protect the machine because your machien will be infected before you can finish.
It is not the best way to solve their problem, but it definitely does solve the problem for most people in a perfectly acceptabel way and without the need for any knowledge whatsoever.
That they have a whole bunch of problems left besides the simple one of not allowing outside connections to their client is an entirely different thing but they cannot even start solving that if they cannot get the required updates and extra software without getting infected.
Now, let me quote from the introduction of the thread on Slashdot that you rfered me to:
> Again, NAT does not enhance security. It just doesn't. I don't understand why people think it does. The thing that enhances security is your firewall. So instead of pretending like you get security because connections aren't mapped in, you ship home routers with a rule that says no connections may be established from the ``outside'' to the ``inside.'' Done. Then when someone wants an incoming connection, they tell the firewall to allow it.
So, what is said here is that you can do the exact same filtering without nat. That is absolutely true, but in no way says that NAT is NOT doing that, in fact it says you do the same but without the need for NAT.
Before it and after it the author of that bit rants on about how NAT is not providing any security, and goes on saying that NAT is evil and a problem for the internet without ever providing an argument as to why.
NAT has some serious problems indeed, but those mostly concern ipsec and hosting.
The thing is that some people want IPv6, often for good technical reasons, but those reasons just do not appeal at all to the average user. NAT gets around the one prblem that would sortof reach the average user still, and as such is declared evil by IPv6 fanatics. Yes, it does have problems, just not for the large majority of its users.
Please come up with something better.
> That's just another chicken and egg problem.
Yes it is, it is also a real problem for as far as the introduction of IPv6 goes.
This simply means that different arguments are needed to get people to switch, and in fact, most people don't have to switch consiously, they could just get it enabled by default on the next PC they buy (this leaves a problem with dsl and cable modems, this is something an isp should handle I think)
The introduction of IPv6 is something that needs to be done by ISPs and the producers of networking hardware and software.
There are those who prefer building and configuring their own computers and there are those who do not want to bother with that and rely on pre-installed systems with 'plug and play' internet connectivity.
Those who prefer building their own stuff will have to consiously switch, and I bet that a substantial part of the Slashdot crowd is among those.
Most home users are in the later catagory however.
> As it is, hosting is inaccessible to the average person because it's difficult, in part by the lack of addresses.
Hmm, I wonder if it is such a bad thing that hosting is relatively difficult (not that that is a good excuse for having a lack of addresses and hence difficuty with getting extra ones)
Most people are not capable or willing to keep a single client machien secure, let alone a couple of devices that run some kind of internet server.
More IP space for the average user could be nice to have and indeed opens up all kinds of applications.
But most people will not even hear about those things untill they are tried and tested and already accepted by those whom they consider knowledgable on the issue.
So the argument is simply not going to appeal to, or even reach the average user, and nor should it untill after they already have it (probably without even knowing it)
There are many valid arguments to make for replacing IPv4, but most of those are of interest to those whop want to host their own things or deal with the infrastructure of the internet.
For the average end user those things wont matter untill they can get the applications in a nicely packaged way that doesn't require reading a manual.
> NAT does not filter anything.
Well, unless you configure it otherwise, it does in fact filter any connections comming from the outside.
A firewall is a barrier between 2 networks.. if it is a routing firewall it might indeed be filtering things. THere are other types of firewall as well. An ip filter does not make a firewall in itself, and is not a required (tho a very usefull in many cases) component of a firewall.
Then, regarding NAT and acting as a firewall..
I really suggest you go take a peek at the quality of state-keeping in the majority of consumer grade firewall packages (and don't give me iptables or pf or ipf or ipfw, while available to many people, those are not consumer grade firewalls, we are talking about ZoneAlarm and friends, the stuff that the large majority of peopel with computers can or did install) then you might just start to see why a very simple router that does NAT results in a better firewall then many such packages on their own.
> What's neat is IPv6 does away with DHCP and BOOTP in almost exactly this manner. An IPv6 Address is subdivided into two addresses.
While informative in itself, what is the exact point of your explanation in this specific discussion?
The argument being made was that NAT was a problem, which I countered with pointing out that for most people NAT solves a problem instead of being one.
Yes there are other solutions to that problem as well, including IPv6.
For most people there is no need to replace a good enough solution with a possibly better one unless they actually get something for it that compensates the efford of getting the better then good enough solution.
> Which is one more step than a NAT box requires (for the same functionality as far as the home luser is concerned).
Uh yes, but one more step doesn't exactly make for a very complicated router setup. They already have to fill out a box with their username and password. I really do not see why there would be a problem in filling in a 3rd field (the contents of which are provided by the ISP just like the rest)
Argument was that nat makes it a lot easier, well, it makes it easier but not a lot. I didn't think that was that hard to understand really was it?
I do my own hosting and am quite aware of why people may want more then one address, but that is really not something that applies to the huge majority of people.
Hence, it is also not a convincing argument for most people.
Well, I agree with the easy argument but..
A router such as you describe could be made almost plug and play. Basicly, all the end user would have to do is tell it the prefix of their local network, everything else can be auto configured at least in theory.
(this is only really true if all you need is connect a single subnet to a remote network)
> Do you use NAT (a home router)?
> Blame your IPv4-based ISP for not having enough
> address space for you.
For most peopel NAT actually solves a problem instead of being one.
Yeah, for some people it would be nice to be able to have their toaster online and reachable through the internet as well, and lack of addresses can make that difficult, but most people do not have a big urge to do such things.
They do however have a problem with their computer and an unfiltered internet connection.
A router that does NAT happens to function as a pretty good ip filter with state-keeping that is extremely easy to configure.
> Do you run a web-hosting company?
> You probably know how expensive address space
> is.
Yep, sadly enough, IPv6 sounds more advanced, and thus will be more expensive. The people who market the stuff have absolute controll over the supply so can set a price as they like.
> Pine... pine. Ah yes, I have that filed beside Elm and Mutt under "applications no newbie desktop Linux user will ever run, or even hear of".
I tend to agree with regards to Mutt and maybe elm..
But most non technical people that I know that have somne experience with using Unix/Linux have seen Pine, if only coz usually the first Ubnix/Linux installation they happen to have used are university shell servers probably.
Yeah, I also found they want it on their desktop machine because it is easy to use and fast.
I think you are mistaken with regards to non technical users and using pine..
But one would hope that most people end up using something else on their desktop Linux machine, and probably they do.
> Well Windows' security might not be managable by a normal computer, but there seem to be a whole lot of people surviving just fine with an OS that was designed to be secure and easily usable...
You mean Linux (or Unix in general) ?
Easy to use for a realtively technical person? sure. When properly setup, it can even be easy to use for non tech users.
Securable by someone who isn't technically inclined? come back when you have non technical users understand things like init, rc scripts and the like. Who is going to be able to judge if whatever process is actually supposed to be there? Joe Sixpack?
Parent was refering to a security model that Joe Sixpack understands, not one that is understandable to soemoen who is actually seriously interested in the thing.
Compare:
You want to keep your house secure?
You lock everything that might be used to enter it.
Optionally, you install an alarm system.
You want to keep your computer secure?
(content of a book should follow, left out due to time and space considerations)
Or do you mean OS X?
Easy to use for the average person? no doubt about it. Easy to secure? see the part about Linux/Unix, for most parts OS X is not really different.
> Can anyone name a Linux mailreader which will automate the process of running an executable attachment by clicking on it?
Not as such.
I do know of a popular Unix based mail client that also runs on Linux.
This mail client has had so many security problems that would allow running arbitrary code (and that judging from its coding style is likely to contain quite a few undiscovered/unpublished ones still), that running attachments is not really needed.
The program is called Pine.
> PEOPLE AREN'T STUPID
Not as individuals usually, as a group they are.
> Blaming the software is like gun control, guns don't kill people, people kill people.
The software was sold for use in a system that can't afford downtime, especially unexpected downtime.
Whomever sold that software for that purpose as well as the people who bought it are to blame.
It is not like it is unknown that Windowss (any version) is one fo those systems that is not suitable for that (definitely not the only one).
Having some guy reboot such a system once a month to prevent it from crashing is like using duct tape to keep your car together.. sure, it will work for a while, but it is bound to fail, and as such can be no more then an emergency measure.