Computer Networks: 10 years ago vs. today

[yesthattom]

1995-8: Explaining over and over to people that when one uses NAT to “hide a company behind one IP address”, you get a certain amount of firewall protection “for free”

2008-9: Explain over and over to people that with IPv6 you don’t need NAT, and you can STILL have a firewall.

Comments

[misteropinion.livejournal.com]

Clearly, "those network guys" "forcing" the poor confused users to have a firewall is still the problem.

LOLz!

[sweh.livejournal.com]

2008-9: Explaining to people that having NAT for your corporate networks so everyone has a 10.* address is a fscking pain in the arse when two companies merge because you're both using the same address space and so get conflicts! You now have to NAT _internally_ in the merged organisation, with all the resulting fsckups that'll cause.

Why yes; we've finally got rid of the NAT gateway resulting from the 2004 merger... and now we've just taken over someone else and have to start it all again.

GAH!

[pvaneynd]

2002-3: You are starting to realise that the decision to use per country ip ranges when you deployed your WAN was not the cause of the problems. The true cause was allocation 1/8 to the USA, 2/8 to GB, 3/8 to France etc.

They got an inkling that something might be wrong when they tried to add country #127 and it really got funky when they asked the consultant (me) how they could 'access the internet without proxies'.

Oh and ipv6: I'm using a TCL script on my router to use 6to4 to distribute and route IPv6, so I'm farther along the road then my ISP :-).

[tcb.livejournal.com]

This past weekend I found an old plotter map of the UUNET network from 96 and 97..

[edhorch.livejournal.com]

It's going to be a long road, because you're going to have to explain it not just to lusers but to people like me who are experienced system admins, but only do a tiny bit of network admin (like lab private networks), and who know SFA about IPv6 other than it's been Right Around the Corner since the Eisenhower years.

[awfief.livejournal.com]

exactly.....besides "right around the corner" all I know is "I usually have to turn it off because it causes pains in the butts." And not nice butts.

However....I didn't know that you could have a firewall w/out a NAT and get the same result as IPV4 firewall.....meaning I could VPN somewhere *and* print on my local network at the same time? that'd be sweet!

[edhorch.livejournal.com]

Actually, you can do that now if your VPN uses split tunneling, i.e., packets destined for the other end of the VPN (presumably your corporate network) go through the VPN tunnel, but packets destined for the Internet or other points on your home network don't.

And if you're setting up a net-10 LAN behind your NAT firewall, you can avoid the IP address conflict by making your netork 10.13.37.x or some other middle octets that aren't likely to be stumbled on by someone else.

[yesthattom.livejournal.com]

Firewalling (blocking certain ports in a particular direction) and NAT (hiding many IP addresses behind a single address) are orthogonal. It just turns out that since NAT blocks inbound ports (without special configuration) they both result in the same benefit: inbound connections are blocked.

With plain (non-NAT) firewalls, you would have, for example, 64.32.179.* in your office, and when you SSH out the connection looks like it comes from your actual address. The only reason that people couldn't SSH to your machine was due to the fact that your firewall would block inbound SSH connections. (Or, more accurately... block all inbound connections except a well-defined list).

This doesn't have anything to do with being able to print to a local network printer while on a VPN. The VPN needs to have a route table that determines which destinations are scooped up, encrypted, and sent down the VPN tunnel. Some VPN clients can't be configured to let you talk unencrypted to machines on your local network. On the other hand, some VPN clients are configured to not let you talk to local devices on purpose... security policy doesn't trust your local network.


Ok, that's a long answer to a short question... and probably covered things you knew already.


Tom

[auntiemisha.livejournal.com]

Jun 2009: end of Fortran predicted. :-)

[yesthattom.livejournal.com]

I've never made a "ipv6 will be here in 1 year" prediction until now. I'm actually seeing movement in many areas. Plus, my "three preconditions" is starting to come true:
1. Cisco has IPv6 support in hardware, not in IOS
2. The 2-3 major OS vendors have good support (Linux, Solaris, and Windows all do)
3. A major ISP will support it (not yet, but they use it for their infrastructure)

I have to add a new pre-condition since writing those 3 many years ago: The home firewalls like Linksys need to support it. That hasn't happened yet, but they all use a stack that could support it (embedded linux) once the ISPs start asking them to enable it.