Re: Let's talk about yum and p2p in Fedora

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Marko Vojinovic wrote:
> On Sunday 26 December 2010 22:11:17 you wrote:
>> On 12/26/2010 02:40 PM, Marko Vojinovic wrote:
>>> The only permanent solution to usability of p2p in general is IPv6, where
>>> all addresses will be public and thus accessible from outside. And IPv6
>>> would fix other protocols broken by introduction of NAT, not just p2p
>>> stuff.
>>
>>    Why would anyone want all internal machines public anyway ?
>>
>>    Historically, we used nat for 2 purposes:
>>
>>      (1) to shield inside machines
>>      (2) free up ipv4 (was an accidental consequence of (1)
>
> There was a quite large thread on the CentOS list recently about this.
>
> In a nutshell, the conclusion is that (1) is an urban legend --- NAT *does*
> *not* (and moreover, *should* *not* ) shield your inside machines from outside
> attacks. You still need to use the proper firewall for shielding.
>
> The only benefit of NAT is (2), ie. artificially enlarging the scope of
> available v4 IP numbers, at the price of breaking functionality. And this is
> not a consequence of (1), but rather the primary reason why NAT was introduced
> in the first place.
>
Clearly you have little understanding of the other uses of NAT, one of which is 
connect redirection. For instance, when I get a connect to an IP and port, it 
allows me send the connection to some machine inside the firewall without having 
to have the rest of the machine ports available or the "real" IP visible. I 
realize that somehow you have convinced yourself that not allowing everyone on 
Earth to bang on every machine somehow is bad or unnecessary, and that every 
machine running every OS can somehow be protected by a firewall, but in practice 
this doesn't work most of the time. What is possible in theory with a perfect 
firewall doesn't happen and/or take a huge investment in effort and auditing to 
approximate.

But when the service is being moved to another host, with NAT new connections 
are simply sent to another host, leaving existing connections to taper off in 
some non-disruptive manner. Yes this can be done at lower levels, with complex 
routing at the MAC level, but there is no joy in doing things the hard way just 
because it is possible.

NAT can even be used for load balancing including fail-over, and again there are 
other ways, but little to be gained by doing it at lower levels.

Please understand which problem set is most simply solved by NAT (or anything 
else you suddenly decide is obsolete). IPv6 solutions will undoubtedly be 
different, but don't just make a generalization because you want it to be true.
> After IPv6 gets introduced, the number of available IP addresses will be more
> than enough to eliminate any need for NAT, while for security you'll still use
> the same firewall as you needed to do with IPv4. The net gain is that protocols
> that were broken by NAT will not be broken anymore, in addition to the larger
> address space.
>
> Of course, some people will remain dense forever and keep implementing NAT
> even in IPv6, with an illusion that it will improve their security. Those
> people cannot be helped, unfortunately... ;-)
>
> Best, :-)
> Marko
>
>
>
>


-- 
Bill Davidsen <davidsen@xxxxxxx>
   "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux