Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6

[Lee Howard <Lee () asgard org>]

On 1/17/13 9:54 AM, "William Herrin" <bill () herrin us> wrote:

> On Thu, Jan 17, 2013 at 5:06 AM, . <oscar.vives () gmail com> wrote:
> > The people on this list have a influence in how the Internet run, hope
> > somebody smart can figure how we can avoid going there, because there
> > is frustrating and unfun.
>
> "Free network-based firewall to be installed next month. OPT OUT HERE
> if you don't want it."

I haven't heard anyone talking about carrier-grade firewalls.  To make CGN
work a little, you have to enable full-cone NAT, which means as long as
you're connected to anything on IPv4, anyone can reach you (and for a
timeout period after that).  And most CGN wireline deployments will have
some kind of bulk port assignment, so the same ports always go to the same
users.  NAT != security, and if you try to make it, you will lose more
customers than I predicted.

> It's not a hard problem. There are yet plenty of IPv4 addresses to go
> around for all the people who actually care whether or not they're
> behind a NAT.

I doubt that very much, and look forward to your analysis supporting that
statement.

Lee


> Regards,
> Bill Herrin
>
>
> -- 
> William D. Herrin ................ herrin () dirtside com  bill () herrin us
> 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
> Falls Church, VA 22042-3004