[Politech] Replies to John Walker, NATs, and lights going out on Internet

From: Declan McCullagh (declan@private)
Date: Mon Mar 22 2004 - 23:12:34 PST

  • Next message: Declan McCullagh: "[Politech] Supreme Court hears arguments in Hiibel anonymity case [priv]"

    -------- Original Message --------
    Subject: Re: [Politech] John Walker on NAT and "lights going out across 
    the Internet"
    Date: Tue, 23 Mar 2004 00:47:28 +0100 (CET)
    From: Thomas Shaddack <shaddack@private>
    To: Declan McCullagh <declan@private>
    References: <405F2A71.7060102@private>
    
    
    The issue is serious, but not as hot as it may seem. There are powerful
    counter-forces in the game.
    
    First, not all the customers are know-nothing sheeps, and many of the
    others insist on using features that don't play well with NAT, eg. various
    P2P telephony products or - more often - multiplayer games. Both these
    subgroups drive demand for non-NAT connection, and hopefully educate
    other potential customers.
    
    Then there is the pending IPv6 roll-out. Japan and China, with their IPv4
    address space lack, drive this; once they succeed, other countries will
    follow; there are some IPv6 efforts in Europe (don't ask me for details).
    
    Even without that, the very architecture of the world is fundamentally
    P2P; people know each other, are friends or business partners. If both
    sides of a want-to-make phone call are locked behind a NAT, they need a
    third party to act as a packet reflector. If at least one of them has a
    friend who operates a suitable server, their day is saved. With a suitable
    micropayment architecture, providers of such packet mirrors could become a
    cozy niche market. A suitable protocol for discovery of the best packet
    mirror with least line latency and least load would have to be developed,
    but that is something far within the existing technological limits. VoIP
    presents special challenge because of its sensitivity to latencies, but
    all kinds of other transfers could be done that way as well. Or, instead
    of micropayments, some ISPs could offer a subscription service for a
    connection negotiation service; $5 for gigabyte is something many people
    would be willing to pay, while keeping the service profitable, as it can
    be located on cheap fat pipe with a single IP, if a suitable protocol
    would be designed.
    
    NAT is a threat to the current paradigm of the Net. However, the
    individual-as-publisher role isn't necessarily endangered. Though some
    creativity and forethought on the side of the developers is likely to be
    required.
    
    The basic rule is to never lose hope. There is always a solution.
    
    
    
    
    
    
    -------- Original Message --------
    Subject: Re: [Politech] John Walker on NAT and "lights going out across 
    the Internet"
    Date: Mon, 22 Mar 2004 13:00:57 -0800
    From: Brad Templeton <btm@private>
    Organization: http://www.templetons.com/brad
    To: Declan McCullagh <declan@private>
    CC: politech@private
    References: <405F2A71.7060102@private>
    
    
    While agreeing with John on the evils of NAT, there is, to use
    a delicious pun, light at the end of the tunnel.
    
    I have real optimism for the deployment of IPv6, thanks to a
    decision by Microsoft to embrace it.  They have put not just
    v6 support into XP, but also support for automatic 6 over 4 tunnels,
    allowing disconnected islands of IPv6 to communicate.
    
    More is needed, of course.  The NAT vendors should put in support
    for v6 and the tunnels (though the ones MS is using don't need
    that support directly from most NATs).   And the ISPs should
    support it -- when I asked my own small ISP for v6, he said I
    was the first to ask.
    
    (I wonder if with some ISPs the fact that they get to charge
    monthly rental for static v4 addresses encourages them to delay?)
    
    In addition, we're getting much better at NAT penetration for
    UDP.  In general, it can be done for 90% of users behind typical
    household NATs, though a central "introduction" server, on the
    real internet, is needed.
    
    Skype, which many of you has seen, does a very seamless job of
    NAT penetration, presumably relying on unknowing P2P proxies for
    those 10% of users behind symmetric NATs.
    
    Microsoft fortunately (in this case) has the power to pressure
    NAT vendors, router vendors and ISPs to support what it wants
    supported.
    
    
    
    
    
    -------- Original Message --------
    Subject: Re: [Politech] John Walker on NAT and "lights going out across 
    the Internet"
    Date: Mon, 22 Mar 2004 19:43:45 -0800
    From: mournian@private
    To: Declan McCullagh <declan@private>
    References: <405F2A71.7060102@private>
    
    In other words, That's the Night the Lights went out in Georgia. The Big 
    Boys
    are building the walls, and closing the gates. No more freestyle on the
    Internet.
    
    Tony
    
    
    
    
    
    -------- Original Message --------
    Subject: RE: [Politech] John Walker on NAT and "lights going out across 
    theInternet"
    Date: Mon, 22 Mar 2004 20:34:29 -0800
    From: Ali Farshchian <ali@private>
    To: Declan McCullagh <declan@private>
    
    Some related CircleID posts and discussions on John Walker's...
    
    - "Lights Going Out on the Internet? Not Just Yet"
    http://www.circleid.com/article/453_0_1_0_C/
    
    "In his article titled, "End of Life Announcement", John Walker (author of
    the Speak Freely application) makes a few arguments about Network Address
    Translation (NAT) that are simply not true..."
    
    There has been quite a number of interesting discussions on the topic of
    Network Address Translation (NAT) on CircleID which may also be of interest
    to Politech readers:
    
    - "IP or NAT IP: Mostly IP"
    http://www.circleid.com/article/494_0_1_0_C/
    
    - "Why NAT Isn't As Bad As You Thought"
    http://www.circleid.com/article/447_0_1_0_C/
    
    - "NAT: Just Say No"
    http://www.circleid.com/article/355_0_1_0_C/
    
    
    
    	
    
    -------- Original Message --------
    Subject: Re: [Politech] John Walker on NAT and 'lights going out across 
    the Internet'
    Date: Mon, 22 Mar 2004 13:13:40 -0800 (PST)
    From: Barclay McInnes <barc@private>
    To: <declan@private>
    References: <405F2A71.7060102@private>
    
    Hi Declan;
          Normally I'd let this pass, but Mr. Walker is either really thick
    headed (which I doubt very much considering his background and the
    work he's done) or is being deliberately disingenious/misleading.
    
    
     >      A user behind a NAT box is no longer a peer to other sites on the
     > Internet.
    
    This statement by itself is correct.
    
     > Since the user no longer has an externally visible Internet Protocol
     > (IP)  address (fixed or variable), there is no way (in the general
     > case--there may be  "workarounds" for specific NAT boxes, but they're
     > basically exploiting bugs  which will probably eventually be fixed) for
     > sites to open connections or  address packets to his machine. The user
     > is demoted to acting exclusively as a  client.
    
    This is most assuredly not correct.  Pretty much every NAT device or
    software package on the market allows the user(s) to specify whether or
    not they want to pass ports through to a particular machine inside the
    private network.  These are not "bugs" but rather features, prominent
    features at that.  The catch is that you cannot arbitrarily pass the same
    port to several machines unregulated, but only one.
    
     >While the user can
     > contact and freely exchange packets with sites not  behind NAT boxes, he
     > cannot be reached by connections which originate at other  sites.
    
    Unless the user has specified that port X goes to his machine inside the
    network.  I do this all day, working with a boatload of machines that are
    behind NAT boxes.  In fact, my company's servers are all behind a NAT
    device .  This includes a web server, a mail server, a DNS server, and an
    LDAP server.  All I do is pass the particular port on to the appropriate
    box (80 for web, 25, 110 and 143 for mail, etc).
         There are several advantages to doing this, one is of course
    dramatically improved security.  A lot of exploits will open obscure
    ports to the cracker in question to allow them access.  With my
    situation, even if someone did get that port open, they can't use it
    because that port is only open if you're on the private NAT network.
    
     > In
     > economic terms, the NATted user has become a consumer of services
     > provided by a higher-ranking class of sites, producers or publishers,
     > not  subject to NAT.
     >
    
    And this is different from all of those temporary DHCP'd dial-up users
    that were predominant in the 90's and early 2000s how?
    
     >      There are powerful forces, including government, large media
     > organisations,
     > and music publishers who think this situation is just fine.
    
    This is tin-foil hattery at its finest.  The music industry for example
    couldn't tell you what NAT even stands for, much less what it does.  And
    Napster, Kazaa, Limewire, Morpheus and all of those other "enemy of the
    musician's rights" softwares all work just peachy keen through NATs
    anyway.
    
     > In essence,
     > every  time a user--they love the word "consumer"--goes behind a NAT
     > box, a site which  was formerly a peer to their own sites goes dark, no
     > longer accessible to others  on the Internet, while their privileged
     > sites remain. The lights are going out  all over the Internet. My paper,
     > The Digital Imprimatur, discusses the technical  background, economic
     > motivations, and social consequences of this in much more  (some will
     > say tedious) detail.
    
          This sounds like a lament for the destruction of the early 90's
    Internet, and it is.  It is a damn shame, I will admit.  I too would
    love to have those days back, but it's not going to happen.
    
     > Suffice it to say that, as the current migration
     > of individual Internet users to broadband connections with NAT proceeds,
     > the  population of users who can use a peer to peer telephony product
     > like Speak  Freely will shrink apace. It is irresponsible to encourage
     > people to buy into a  technology which will soon cease to work.
    
          Simply put, NAT makes sense for too many reasons not to do it.  The
    worm issue alone is sufficent argument for NAT.  Frankly, I think all
    broadband users should use NAT devices, as soon as possible.  It's
    all these broadband users who have no concept of security (nor should
    they be expected to, based on their level of expertise with
    computers) who are the priciple problem whenever one of these new
    worms is released.  All of their machines are directly on the
    Internet, waiting for their neighbor's infected machine to come
    infect them too, and then when they get infected, their box starts
    scanning around, looking for victims of its own.
          That couldn't happen if they were beind a NAT device, since the
    necessary direct connection to the potential victim isn't there.
    Even a security program running on the machine like BlackICE defender
    is not sufficient, as last week's worm that specifically exploits
    that package demonstrated.
          This is a real issue.  Here's an anecdote about how bad it is.  I
    reinstalled Windows XP on a box at an acquaintance's residence who
    has broadband cable.  After XP was installed, I connected to the
    broadband connection, to do all of the Windows updates (including the
    security updates).  Before we had finished getting the list of
    updates from Windows Update, the newly installed machine had already
    become infected with a worm.  We're talking less than 10 minutes on
    the connection!  I formatted the drive again, redid XP again, and
    drove it over to my place to do the updates from behind my NAT.
    Afterwards I told my acquaintance to go buy a NAT device immediately.
      From that moment forward I was convinced that everyday joes using
    broadband should not ever have a direct connection to the 'net.
    
          Mr. Walker's Speak Freely will not work directly behind a NAT
    *without the user taking extra steps to enable it*, and for his
    package that is unfortunate.  But there are a raft of other packages
    that will work just as well or better.  Asterisk is one
    (www.asterisk.org), Teamspeak (www.teamspeak.org), etc.  There's a
    bit of effort involved with getting all of these packages to work,
    but that's on setting up a server.  Once that's going, anyone behind
    NATs will have no issues.
    
          It just seems to me that it's grossly unfair for him to classify NAT
    as a bad thing because in no small part his software won't work
    anymore without extra user effort.  I agree that NAT could have the
    effects he describes and be a Very Bad Thing indeed if your ISP
    suddenly decided to put all of their customers on a private network,
    but that's not how NAT is used in today's world.  Everyone gets a
    real IP address, and the NAT box that they have control of goes on
    that, and lets everyone in the house connect to it from there.  Or,
    in the business world, everyone at the office is behind a NAT that
    the company has set up.  And in the business world, you're there to
    work, not use peer-to-peer apps anyway.  If something is being
    blocked by the NAT that is important to the company, the person
    running the NAT will be able to adjust to allow it through.  No
    problem.
    
    Barclay McInnes
    
    
    
    
    
    
    
    -------- Original Message --------
    Subject: Re: "The lights are going out all over the Internet"
    Date: Mon, 22 Mar 2004 14:55:31 -0600
    From: Mike Schneider <mike1@private>
    To: Declan McCullagh <declan@private>, politech@private
    References: <405F2F9E.9020901@private>
    
    
    (I posted the author's piece in another group, and saw the following
    response. -- Mike.)
    
    
    To: <Individual-Sovereignty@private>
    From: "Scott Jordan" <scott_c_jordan@private>
    Date: Mon, 22 Mar 2004 11:41:53 -0800
    Subject: RE: [I-S] "The lights are going out all over the Internet"
    Reply-To: Individual-Sovereignty@private
    
    "While the user can contact and freely exchange packets with sites not
    behind NAT boxes, he cannot be reached by connections which originate
    at other sites. In economic terms, the NATted user has become a
    consumer of services provided by a higher-ranking class of sites,
    producers or publishers, not subject to NAT. There are powerful forces,
    including government, large media organisations, and music publishers who
    think this situation is just
    fine. In essence, every time a user--they love the word
    "consumer"--goes behind a NAT box, a site which was formerly a peer
    to their own sites goes dark, no longer accessible to others on the
    Internet, while their privileged sites remain. The lights are going
    out all over the Internet."
    
    
    Loon.
    
    He ignores the fundamental animating notion of the Internet, which is a
    "network of networks".  It was never meant to be a peer-to-peer thing.
    
    Besides, it is almost trivially simple to poke a hole in any NAT-based
    router for specific purposes.  This does not necessitate "exploitation" of
    "bugs" but rather the utilization of the DMZ and port-forwarding features of
    virtually all routers.
    
    He also ignores a sincerely beneficial utility of NAT-based routers, which
    is to serve as a cloaking device for the PCs behind them.  That is
    emphatically *not* in the best interests of the shadowy forces he lists
    towards the end, nor for hackers.  The broad popularity of NAT-based routers
    also represents a significant evolutionary step for individuals' use of the
    Internet.  Now entire families and groups can share broadband, formerly a
    luxury afforded to only a privileged few.  The necessary technology--NAT--is
    available for less than $35 at any computer store, even in wireless form
    (cf. my Belkin 802.11b wireless router with four-port hard-wired 10/100
    switching router).  Seven years ago a NAT-based router cost over
    $20,000--and forget about wireless--meaning individuals and groups had to
    deal with dialup.  A 1997 PC World magazine I nabbed the other day features
    a review which debates the merits of 33k vs 56k modems!
    
    There are many other, more legitimate reasons to opine that "lights are
    going off all over the Internet", such as lack of venture funding [gasp!
    capitalism!] and copyright enforcement by music vendors [ditto] and the
    metastization of spam [which has resulted in ISPs blocking email servers
    sited on home DSL lines], but NAT isn't one of 'em.  It may have posed
    obstacles to "Speaking Freely"'s antique technology, however.
    
    The guy needs some cheese and crackers with his whine.
    
    --S.
    
    
    Mike.
    
    
    
    
    -------- Original Message --------
    Subject: RE: [Politech] John Walker on NAT and "lights going out across 
    theInternet"
    Date: Mon, 22 Mar 2004 14:15:31 -0800
    From: Ilya Haykinson
    To: 'Declan McCullagh' <declan@private>
    
    Declan,
    
    [please remove email address if you forward]
    
    In my opinion, the problem is easily solved with firewalls / NAT devices
    that support UPnP -- which provides for applications on PCs behind firewalls
    to ask the NAT to open up a particular port.
    
    If Speak Freely wants to allow peer-to-peer connections, it should use UPnP
    (which is a standard and has been in many if not most popular broadband
    routers for at least a year now) to make sure that it can communicate.
    
    I think it's a little bit silly to try to find a sinister plot or a problem
    of epic proportions in the world getting NAT'ed when a solution is available
    and allows the best of both world: firewall protection without destroying
    the interconnectedness of the network.
    
    -ilya haykinson
    
    
    -------- Original Message --------
    Subject: Re: [Politech] John Walker on NAT and "lights going out across 
    the Internet"
    Date: Mon, 22 Mar 2004 13:20:41 -0800
    From: Tim Pozar <pozar@private>
    To: Declan McCullagh <declan@private>
    CC: politech@private
    References: <405F2A71.7060102@private>
    
    On Mon, Mar 22, 2004 at 01:03:29PM -0500, Declan McCullagh wrote:
     > [I missed this the first time around. The topic is Speak Freely, but the
     > implications of John's essay are far broader. It's worth a read. 
    --Declan]
    
    A much more through treatment to how the Internet is loosing its
    ability to support democratic (aka. P2P, etc.) communication is
    John's essay called "The Digital Imprimatur" at:
    
    	http://www.fourmilab.ch/documents/digital-imprimatur/
    
    He outlines what many of us have been concerned about for more than
    a decade now; The Internet will be, or is now, just a pipe for major
    content providers to push their product.
    
    Tim
    --
    
    How big brother and big media can put the Internet genie back in
    the bottle.
    
    by John Walker
    September 13th, 2003
    Revision 4 -- November 4th, 2003
    
         imprimatur 1. The formula (=`let it be printed'), signed by an
         official licenser of the press, authorizing the printing of a
         book; hence as sb. an official license to print.
    
         The Oxford English Dictionary (2nd. ed.)
    
    Introduction
    
    Over the last two years I have become deeply and increasingly
    pessimistic about the future of liberty and freedom of speech,
    particularly in regard to the Internet. This is a complete reversal
    of the almost unbounded optimism I felt during the 1994-1999 period
    when public access to the Internet burgeoned and innovative new
    forms of communication appeared in rapid succession. In that epoch
    I was firmly convinced that universal access to the Internet would
    provide a countervailing force against the centralisation and
    concentration in government and the mass media which act to constrain
    freedom of expression and unrestricted access to information.
    Further, the Internet, properly used, could actually roll back
    government and corporate encroachment on individual freedom by
    allowing information to flow past the barriers erected by totalitarian
    or authoritarian governments and around the gatekeepers of the
    mainstream media.
    
    So convinced was I of the potential of the Internet as a means of
    global unregulated person-to-person communication that I spent the
    better part of three years developing Speak Freely for Unix and
    Windows, a free (public domain) Internet telephone with military-grade
    encryption. Why did I do it? Because I believed that a world in
    which anybody with Internet access could talk to anybody else so
    equipped in total privacy and at a fraction of the cost of a telephone
    call would be a better place to live than a world without such
    communication.
    
    Computers and the Internet, like all technologies, are a double-edged
    sword: whether they improve or degrade the human condition depends
    on who controls them and how they're used. A large majority of
    computer-related science fiction from the 1950's through the dawn
    of the personal computer in the 1970's focused on the potential for
    centralised computer-administered societies to manifest forms of
    tyranny worse than any in human history, and the risk that computers
    and centralised databases, adopted with the best of intentions,
    might inadvertently lead to the emergence of just such a dystopia.
    
    The advent of the personal computer turned these dark scenarios
    inside-out. With the relentless progression of Moore's Law doubling
    the power of computers at constant cost every two years or so, in
    a matter of a few years the vast majority of the computer power on
    Earth was in the hands of individuals. Indeed, the large organisations
    which previously had a near monopoly on computers often found
    themselves using antiquated equipment inferior in performance to
    systems used by teenagers to play games. In less than five years,
    computers became as decentralised as television sets.
    
    But there's a big difference between a computer and a television
    set--the television can receive only what broadcasters choose to
    air, but the computer can be used to create content--programs,
    documents, images--media of any kind, which can be exchanged (once
    issues of file compatibility are sorted out, perhaps sometime in
    the next fifty centuries) with any other computer user, anywhere.
    
    Personal computers, originally isolated, almost immediately began
    to self-organise into means of communication as well as computation--indeed
    it is the former, rather than the latter, which is their principal
    destiny. Online services such as CompuServe and GEnie provided
    archives of files, access to data, and discussion fora where personal
    computer users with a subscription and modem could meet, communicate,
    and exchange files. Computer bulletin board systems, FidoNet, and
    UUCP/USENET store and forward mail and news systems decentralised
    communication among personal computer users, culminating in the
    explosive growth of individual Internet access in the latter part
    of the 1990's.
    
    Finally the dream had become reality. Individuals, all over the
    globe, were empowered to create and exchange information of all
    kinds, spontaneously form virtual communities, and do so in a totally
    decentralised manner, free of any kind of restrictions or regulations
    (other than already-defined criminal activity, which is governed
    by the same laws whether committed with or without the aid of a
    computer). Indeed, the very design of the Internet seemed technologically
    proof against attempts to put the genie back in the bottle. "The
    Internet treats censorship like damage and routes around it." (This
    observation is variously attributed to John Gilmore and John Nagle;
    I don't want to get into that debate here.) Certainly, authoritarian
    societies fearful of losing control over information reaching their
    populations could restrict or attempt to filter Internet access,
    but in doing so they would render themselves less competitive against
    open societies with unrestricted access to all the world's knowledge.
    In any case, the Internet, like banned books, videos, and satellite
    dishes, has a way of seeping into even the most repressive societies,
    at least at the top.
    
    Without any doubt this explosive technological and social phenomenon
    discomfited many institutions who quite correctly saw it as reducing
    their existing control over the flow of information and the means
    of interaction among people. Suddenly freedom of the press wasn't
    just something which applied to those who owned one, but was now
    near-universal: media and messages which previously could be diffused
    only to a limited audience at great difficulty and expense could
    now be made available around the world at almost no cost, bypassing
    not only the mass media but also crossing borders without customs,
    censorship, or regulation.
    
    To be sure, there were attempts by "the people in charge" to recover
    some of the authority they had so suddenly lost: attempts to restrict
    the distribution and/or use of encryption, key escrow and the Clipper
    chip fiasco, content regulation such as the Computer Decency Act,
    and the successful legal assault on Napster, but most of these
    initiatives either failed or proved ineffective because the Internet
    "routed around them"--found other means of accomplishing the same
    thing. Finally, the emergence of viable international OpenSource
    alternatives to commercial software seemed to guarantee that control
    over computers and Internet was beyond the reach of any government
    or software vendor--any attempt to mandate restrictions in commercial
    software would only make OpenSource alternatives more compelling
    and accelerate their general adoption.
    
    This is how I saw things at the euphoric peak of my recent optimism.
    Like the transition between expansion and contraction in a universe
    with ? greater than 1, evidence that the Big Bang was turning the
    corner toward a Big Crunch was slow to develop, but increasingly
    compelling as events played out. Earlier I believed there was no
    way to put the Internet genie back into the bottle. In this document
    I will provide a road map of precisely how I believe that could be
    done, potentially setting the stage for an authoritarian political
    and intellectual dark age global in scope and self-perpetuating, a
    disempowerment of the individual which extinguishes the very
    innovation and diversity of thought which have brought down so many
    tyrannies in the past.
    
    [...]
    
    
    
    
    
    _______________________________________________
    Politech mailing list
    Archived at http://www.politechbot.com/
    Moderated by Declan McCullagh (http://www.mccullagh.org/)
    



    This archive was generated by hypermail 2b30 : Mon Mar 22 2004 - 23:38:29 PST