NAT, ATM, decentralized search – and other outrageous opinions from the 1990s

Re: Year End Reminiscing

And here we are, first with Skype and then with Zoom, Teams, Meets, WhatsApp etc all proving the opposite: there is zero QoS on the Internet and it works just fine.

Nope, I suspect you just don't notice when it doesn't. But then people often don't understand how QoS and CoS really work, namely when there's congestion. So currently real-time stuff sorta works because the 'solution' has been to throw bandwidth at the problem. When that stops due to lack of money to invest in capacity upgrades, those apps will gradually degrade.

I also kinda wonder if 'works just fine' is because we're now into a generation that doesn't know any better. So people who've never made say, an ISDN call think that a heavily compressed and lossy VoIP call is acceptable. Huh, say again, I didn't catch that, you're breaking up..

Having wider broadband connections has helped a bit. So not that long ago when xDSL connections were 2Mbps, on a video call it was usually obvious when someone was sending a large file or attachment.

Re: Year End Reminiscing

"Your corporate network, which has tons of bandwidth compared to your external Internet link, has even less need of QoS."

It seems there are still people around that rely on wishful thinking and maybe even salestalk magick to convince "the market" that latency doesn't matter.

Well the real world at the sharp end says it does still matter, especially if you want to be able to rely on systems, be it for voice calls or for data storage or whatever. Not everywhere, obviously. But it can't be completely ignored.

Re: Year End Reminiscing

> ...with Skype and then with Zoom, Teams, Meets, WhatsApp etc all proving the opposite: there is zero QoS on the Internet and it works just fine.

I grant your point, for some poor excuse for "fine".

I have worked in radio, telephone, and sound reinforcement. Last week we ZOOMed the whole family in three states and another country. Most ZOOM(etc) sound is crap or worse. If I delivered that warbley bassless garble to any of my old customers I would not submit an invoice.

Yes, I admit the ZOOM/etc programmers have made about the best of a poor channel. (Dunno why they don't degrade the video faster. Most webcams don't have the resolution to lip-read fluidly. Or why bass is lost so easy, making a toilet-paper roll resonance, like a 1973 fuzz-pedal.)

Re: Year End Reminiscing

And here we are, first with Skype and then with Zoom, Teams, Meets, WhatsApp etc all proving the opposite: there is zero QoS on the Internet and it works just fine. Your corporate network, which has tons of bandwidth compared to your external Internet link, has even less need of QoS.

When my employer rolled out Teams and people started using it, I recall many a meeting where we reverted to Skype because Teams wasn't just "bad", it was unintelligible. Once the complaints started rolling in, our It people fiddled with the networks to give Teams it's own pipeline (mumble mumble, something about multiple pipes in the VPN, mumble mumble) like Skype had in order to make it work. Unfortunately, Teams now "works"* as well as Skype so is used a lot.

So no, on our scale - lot the largest UK Gov dept, but one of the larger ones - it doesn't "just work" without some network engineering to make it work.

* I say "unfortunately" because I hate Teams, I really really hate it. There's a saying about polishing a turd, and then there's Teams which I feel seems to have been through the "how can we add annoyances for users" department more than once.

Re: Living with NAT became more important

NAT doesn't actually block incoming connections.

Without defining port-forwarding, NAT has no route for incoming connections that are not in response to an outgoing one. That to me is tantamount to blocking!

Re: Living with NAT became more important

Your response is, of course, perfectly correct and you could implement an equivalent firewall in the absence of NAT that permitted only outbound connections by default.

The fact that you've been down-voted only illustrates that the lack of skill I mentioned has persisted.

However, the truly scary thing is that the people who believe their LAN is being protected by NAT are often the same people who are quite happy for their no-brand IoT box to provide a bidirectional relay to an unspecified server in the darkest reaches of the Internet.

HINT: Outbound connections are as dangerous as inbound connections if you didn't initiate them and don't know what they're doing.

If you're willingly inviting the Trojan Horse through the gates, there's not much that can be done to protect you.

Re: Summary of the NAT Security debate....

The downside being all the effort needed to workaround the borkage of NAT (or more correctly, NAPT, Network Address and Port Translation*). In some ways, the invention of NAPT set us back a couple of decades by removing (for many) the idea that there was still a problem to be addressed.

I reckon if half the effort (and investment) that went into NAT - implementing it, working around it's borkage - had gone into IPv6 then we'd be wondering what the fuss was by now and IPv4 would be like vinyl records, Betamax video tapes, etc.

* Implementations differ widely. Some try and keep the port number the same unless it's already in use for another device. Lets say you have two SIP VoIP phones, both use the SIP port (normally 5060, usually UDP) to call out to the "phone system". The first one may get to use port 5060, the second one will get translated to a different number.

Re: Natty

NAT has it's problems for when you do need to connect peer to peer, but solutions were found.

Alas, I am thinking of UPnP which blew away many of the security gains from NAT's default behaviour!

But it is a tricky problem for Joe Average who has no networking knowledge at all but wants XYZ service to "just work".

Re: Natty

>Note that this diffusion occurs out-of-the-box with IPv4+NAT - no configuration, additional software, or expert knowledge required.

It also happens on v6 without NAT, thanks to privacy extensions which are typically enabled without needing configuration, additional software or expert knowledge.

>If you can post the link to the relevant mailing list archive or similar I'll gladly be corrected. My current impression is that IPv6 was designed on a dogmatic "everything should be host to host because that's how the Internet was originally intended" while ignoring the contemporary real world consequences of that architecture.

Of course I don't have a convenient mailing list quote covering this. They didn't sit around having inane conversations about how they weren't doing something that makes no sense in the first place. You're right that v6 was designed to have enough address space for everyone; my correction here was to point out that NAT doesn't provide increased security and that v6 has a thing to obscure which machine is doing a given connection, and therefore that v6's design isn't "myopically ignoring security and privacy". In fact security and privacy are both covered in v6.

>Another example: After connecting to a VPN for privacy I checked online if it was working as intended. While my IPv4 address was detected as that of the VPN server, my original IPv6 address was still leaking. Ah yes, my bad, forgot to disable IPv6 on the new router. Your average home user has no chance.

This is simply an example of you wanting to put your traffic over a VPN but forgetting to do so (and then, apparently, disabling the entire protocol stack for some reason instead of doing what you wanted to do in the first place). It has nothing to do with the design of v6.

Average home users stand no chance with anything. It's up to us to know what we're doing, for their sake, or else to step back and leave things in the hands of people who do know.

>NAT isn't more secure in itself. However it's a lot easier to secure a router (and even that gets fraked up as we know) which has a limited task and fixed hardware compared to securing a general purpose user device.

This is true enough, but why is NAT even being mentioned here? If anything it gets in the way of securing the router, because if you think NAT is giving you security, you're more likely to fail to implement actual security (i.e. a firewall).