No need for each desktop to have it's own IP Address?

Author	All Replies
aefstoggaflm Open Source Fan Premium join:2002-03-04 Bethlehem, PA kudos:2 Reviews: ·Verizon Online DSL	No need for each desktop to have it's own IP Address? I heard someone say that.. quote: There's no reason at all for each desktop to have its own IP address. In fact it's a downright bad idea. That's what we have the various private IP address spaces like 10.0.0.0/8 for. #1 Do you agree or disagree? #2 Why or why not? #3 Do you think they are implying that IPv6 is bad? Thanks. -- Please use the "yellow (IM) envelope" to contact me and please leave the URL intact.
	to forum · permalink · 2011-06-23 09:56:28 ·
JoelC707 Premium join:2002-07-09 Stone Mountain, GA kudos:4	I disagree. The driving force behind "not giving desktops a public IP" is aside from the dwindling cache of IPv4 addresses, security related. While yes NAT provides great security, it's a form of security through obscurity. In other words you don't know the address of the source machine and can't even get to it unless there is a route of some kind through NAT in place. The problem is NAT breaks things. Ever try to get SIP working through a NAT firewall? It can be done but it's a royal pain in the ass. Overall NAT isn't bad per-se, it works well at it's intended use but it has side-effects. By the same token of security thru obscurity, IPv6 is sometimes seen as "bad" This is because everyone knows the direct address to your desktop. But with a proper network level firewall in place, nothing will get in regardless. Compare this to a large corporation that has one main number with an operator or switchboard. You can call that main number and reach the president of the company. That same president likely also has a DID (Direct Inward Dial) number that when dialed will ring their phone directly. That DID is like a public IPv4 or IPv6 address, it can get you directly to that person/machine. The operator/switchboard main number is like using NAT with private IPs (extensions in the case of the phone system example). You reach the firewall/operator first and get directed to the private person/computer if they allow you to. In the case of dialing a DID and bypassing the operator, that persons phone will always ring unless they have DND (Do Not Disturb) turned on or something of that sort. This is similar to a firewall rule. Similar to a public IP (be it IPv4 or IPv6), without a firewall in place if someone "dials" your IP address they will be let in every time. It's up to the firewall (or DND setting in the phone example) to stop them from getting in.
	to forum · permalink · 2011-06-23 14:32:38 ·
estover Premium join:2004-03-16 Valencia, PA kudos:1	said by JoelC707: I disagree. The driving force behind "not giving desktops a public IP" is aside from the dwindling cache of IPv4 addresses, security related. While yes NAT provides great security, it's a form of security through obscurity. In other words you don't know the address of the source machine and can't even get to it unless there is a route of some kind through NAT in place. The problem is NAT breaks things. Ever try to get SIP working through a NAT firewall? It can be done but it's a royal pain in the ass. Overall NAT isn't bad per-se, it works well at it's intended use but it has side-effects. I'll bet ya dollars to doughnuts the vast majority of home and small business users will still be using a NAT type routing device long after the elimination of IPv4. They are not going to want to hire an IT person to come setup the new iPod or Wii. There is NO need for every device to have a GRIP.
	to forum · permalink · 2011-06-24 06:04:42 ·
JoelC707 Premium join:2002-07-09 Stone Mountain, GA kudos:4	Yeah they will probably be using some kind of NAT device but I'd say it'll be because the vendors like Linksys and Netgear will push it in some way saying it's still required. Sure I'd still use something for a firewall but even Cable/DSL modems are getting SPI firewalls built in (and even NAT in some cases) so you don't necessarily NEED a second device in most cases. But fortunately IPv6 has a big advantage going for it. Stateless autoconfig and neighbor discovery protocol. In other words, as long as your modem/router has IPv6 on it's LAN interface and is running router advertisements (doesn't even need to run DHCP) any IPv6 enabled device will automatically pick up an IP address and gateway. I've discovered it doesn't seem to always give me a DNS address though but I'm using PFsense as my firewall and it's IPv6 code is alpha, maybe beta quality at best (though I have to admit, it works GREAT so far, no hiccups). Basically with IPv6 people won't have to configure a DHCP server in their router/modems. ISPs won't have to push out a config file with their routed prefix to pre-configure DHCP. All the ISP needs to do is put their routed prefix on the LAN side and turn on announcements and everything is plug and play at that point. IPv6 has a lot of FUD surrounding it and I'm sure many will flat refuse to adopt it even when faced with the choice of "adopt now or have no internet" which is why people need to see it's EASY to adopt and aside from legacy devices it should be a walk in the park. Even the legacy devices should be moot once that phase comes around. Even Windows 2000 supports IPv6 which means only people with ancient computers still running 98 or older will have a problem. It's going to be many years before we are at a point of "adopt now or have no internet" and in that time the people still nursing those old computers for all they are worth could be convinced to upgrade (if they don't on their own given even things like Flash are getting heavy duty and can require something more than a 98 class machine).
	to forum · permalink · 2011-06-24 09:36:09 ·

dslcreature Premium join:2010-07-10 Seattle, WA	reply to aefstoggaflm What is the security difference between stateful NAT and a stateful firewall? As far as I know the answer is none. They require much of the same code to manage protocol specific stateful session tracking. The difference seems to be one mangles packets while the other does not. In my view the issue is NOT addressing. It is availability of necessary tools to ensure reasonable security policies are assigned by default to devices attached to the network. Users should have simple tools to understand and manage access to and from their devices. Unfortunately this appears to be severely lacking in IPv4 and IPv6 consumer gear on the market today.
	to forum · permalink · 2011-06-24 14:04:54 ·
HELLFIRE join:2009-11-25 kudos:4	reply to aefstoggaflm said by dslcreature: What is the security difference between stateful NAT and a stateful firewall? None as the first has nothing to do with security. Stateful NAT is for redundancy of NAT sessions between your N and N+1 router. Otherwise, I think everyone else has pretty much hit it on the head. Regards
	to forum · permalink · 2011-06-30 21:22:07 ·
rchandra Stargate Universe fan Premium join:2000-11-09 14225-2105	reply to aefstoggaflm Re: No need for each desktop to have its own IP address? 1.) disagree 2.) "private" address space to my knowledge was created to get up-and-running w/o needing to be assigned addresses from IANA. When we started getting IPv4 address pressure, in came NAT and all its nastiness. Someone mentioned SIP (as one protocol that is just knobs-turned-up-to-12 nasty when it comes to NAT badness); how about interconnecting two organizations, both whom chose to use the same internal addressing scheme with these RFC1918 addresses? (Think provider-client relationships, company mergers, and so on.) Saying "there's no reason for each device to have a unique address" is just shortsighted and shows basic ignorance of Internet protocols in general. One proto which got totally munched was the AH of IPSec. It just simply will NOT tolerate NAT, and that was purposeful. 3.) If anything, they're implying that IPv6 firewalling might be immature. It's not that it's bad, it's that people seem to be less experienced with it. There's nothing particularly bad about IPv6. It's just that some of the same (potential) mistakes were carried forward from IPv4, such as ARP becomes NDP (same spoofing attacks possible because of its multicast/broadcast nature). Since things like SEND are not as widely implemented, the proto suffers some of the same foibles. In this respect it's similar to authenticated SMTP; although some hosts implemented it, for backwards compatibility, it's not required. So we "bolt on" fixes, but since there's no way to get a billion people to do anything within days of simultaneously, we muddle through phases of backwards compatibility. In light of that, I think we may even have an IPv7, and hopefully we can point to IPv6 and its excrutiatingly painful adoption, and can address as many issues as possible as quickly as possible and avoid as much of this migration pain as possible. As usual, it's not technology that's the particular problem, it's economics. v6 has been around for a decade and a half, yet it's still pretty much an obscure rarity ( == geeky thing ) because for the vast majority of Internet participants, there isn't sufficient justification for either time or money to get even dual stacked. There have even been people who have argued with me on this site who steadfastly refuse even to budge towards IPv6 adoption because of their perception of, basically, "IPv4 works, and it'll work forever." Seems they'd rather die than learn something new or be inconvenienced in the least. It's so incredibly chicken-n-egg, it's sickening. Imagine if one of the now incredibly popular services, for example Netflix, REQUIRED v6 access (let's just say it was their company policy, not that it is at all technically required for its operation). Because they want as wide an uptake as possible, it'd be financial suicide to have such a v6 only policy. All the crazy, nonsensical question/answer ads in the world would net them hardly any more customers because ISPs currently don't seem too particularly serious about offering v6 connectivity. And why should they? There's nothing which technically ABSOLUTELY REQUIRES v6. I'm not even sure if it would be enough incentive (and not be excessively economically harmful) if Netflix prioritized v6 traffic so that the v6 experience were better than the v4 experience. Not that I at all like government solutions, but it's looking more and more like government fiat which will cause v6 uptake. Look at US DTV. It took the FCC/US government making analog TV transmission illegal past a certain date to get everyone migrated to DTV (and that is even incomplete, what with all the bolt-on converter boxen, and yeahhhhh.......(sigh) people like me clinging to NTSC cable service). After all, the fundamental purpose of government is to compel people to do what they ought, or more often not do what they ought not. -- English is a difficult enough language to interpret correctly when its rules are followed, let alone when a writer chooses not to follow those rules. Jeopardy! replies and randomcaps REALLY suck!
	to forum · permalink · 2011-07-02 19:34:31 ·
rchandra Stargate Universe fan Premium join:2000-11-09 14225-2105	reply to JoelC707 I'm not so sure it will be that simple. Being multicast technogies, my "inside" hosts would never see TWC's RAs, NDs, etc. unless I bridged my LAN and WAN interfaces. But I don't think I want to do that either, as there is still a NAT requirement for IPv4, plus the desire for centralized firewalling of both address families. Ideally, I'd like to be assigned a /64 (or larger) subnet, and be done with it. But things being the way they are, their CMTS will probably not like to do things like that. They'll probably want me to do DHCPv6. Big-time hopefully, this will be in the form of INFOREQ which will assign me a /64, then I can act accordingly with updating my radvd config and restarting it. But more likely, they'll want all my hosts to do DHCPv6 SOLICITs, and that'll likewise require bridging for those broadcasts to get through. (As I see my config allows me to have 5 IPv4 addresses, I've tried an IPv4 DHCP relay, but with bad results (no replies). So I'm not hooeful I can keep my current LAN-router-WAN topology, which would be preferred for centralizing firewalling.) -- English is a difficult enough language to interpret correctly when its rules are followed, let alone when a writer chooses not to follow those rules. Jeopardy! replies and randomcaps REALLY suck!
	to forum · permalink · 2011-07-02 20:16:40 ·
AVonGauss Premium join:2007-11-01 Boynton Beach, FL	reply to aefstoggaflm Re: No need for each desktop to have it's own IP Address? FWIW, most ISPs seem to be getting closer to agreeing to provide each residential customer a /64.
	to forum · permalink · 2011-07-02 20:25:57 ·

Broadband Tech > IPv6 > No need for each desktop to have it's own IP Address?

Re: No need for each desktop to have its own IP address?

Re: No need for each desktop to have it's own IP Address?