RE: [jim@cyberjunkees.com: Re: FW: Worm probes]
:: However, I firmly believe that if you are connected to a :: network outside :: your administrative control, you should treat it as a :: hostile environment, :: and protect your network (the network under your :: administrative control) :: accordingly. Sure, that's what anyone does, after five minutes of exposure to the Wild and Woolly Internet. ;-) The issue that I'm trying to raise is that even though my network is locked down tight, I'm still being bombarded by traffic that I don't want, and which terminates at my router, even though I reject/drop that traffic. So, I pay for that traffic. I think it would be a great PR move for ISPs to help their customers, who obviously don't have control over the upstream network, to ditch unwanted/hostile traffic further upstream. In the light of SirCam, Code Red Mk I and II, NIMDA, etc, it's becoming downright dangerous for your financial health to operate a Jetstream connection. A firewall and antivirus will only keep the local network clean; they can't do anything about incoming traffic. -- Juha --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
Juha Saarinen wrote:
[...] The issue that I'm trying to raise is that even though my network is locked down tight, I'm still being bombarded by traffic that I don't want, and which terminates at my router, even though I reject/drop that traffic. So, I pay for that traffic.
<metatopic> ...then it would be in your best interest to point out, to your national telco/government, the extreme flaws inherant in attempting to tariff internet traffic... </metatopic>
I think it would be a great PR move for ISPs to help their customers, who obviously don't have control over the upstream network, to ditch unwanted/hostile traffic further upstream.
Just be glad you don't have to live with the american solution to this problem: filtering all web traffic for lightweight DSL and cable users. The message to their users? If you want a real internet connection, colocate. I'm sure Jestream wouldn't mind adapting this idea to their own service (and I would be quick to call traffic tariffs into question, again, the miniute they did this). [caustic sarcasm on] You don't really expect Jetstream to pay any technical attention to this obviously transient problem affecting only a very small minority of overly vocal users, do you? I mean that's *exactly* why PPPoE/A realms based authentication is there in the first place. If you don't turn your DSL router off when you're finished surfing, that's your problem, buddy. Read your Telecom/Jetstream contract carefully... it's all in there. [caustic sarcasm off] The real solution is to ditch tariffed DSL connections or move to statefull billing, where only customer initiated data traffic is tariffed (...and, off the top of my head, I don't know of any such billing system). Just remember this bit of economics: ISPs oversubscribe their bandwidth, which they may or may not pay a flat rate for, and it is in everyone's best interest (at least under the Telecom regiem) to simply pass the traffic and bill you. So, while such a service might be good PR, it's bad business. Besides, most ISP would probably rather have you colocate (so they aren't robbed of bandwidth revenue which they are forced to pass on to Telecom once the traffic is put on the DSL network... and telcos claim taffic tariffs are about recouping international bandwidth costs!) and sell follow on security service (and that's what this proposed feature really is). --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
At 02:13 PM 19/09/01 +1000, cfb wrote:
................ or move to statefull billing, where only customer initiated data traffic is tariffed (...and, off the top of my head, I don't know of any such billing system).
Uh, I don't see this happening in a hurry. (Or ever) Can you say free Webservers, etc being hosted by Jetstream users ? :) Besides, some protocols like FTP (in PORT mode) initiate the data connection from the _server_ end to the client even though the initial connection and request of the file has come from the client. So "customer initiated data" is a meaningless concept. Regards, Simon --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
Thats why passive FTP is used instead. Active FTP won't work in most networks now. NAT is done at the border firewall/router
Besides, some protocols like FTP (in PORT mode) initiate the data connection from the _server_ end to the client even though the initial connection and request of the file has come from the client. So "customer initiated data" is a meaningless concept.
Regards, Simon
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
With the more active (excuse the pun) NAT devices out there, they can watch for PORT commands in the packet stream and open up the port incoming from the server back to the client. One of the problems with two stateless firewalls and passive ftp is that it won't work. One of the firewalls has to allow an incoming conections in whatever scenario. With active ftp though, you can filter based on the source port of the return packets (20) on the client firewall. Not the best, but still one better than the passive where you've got an arbitary port on both the server and client. Cheers, Chris Gordon Smith wrote:
Thats why passive FTP is used instead. Active FTP won't work in most networks now. NAT is done at the border firewall/router
Besides, some protocols like FTP (in PORT mode) initiate the data connection from the _server_ end to the client even though the initial connection and request of the file has come from the client. So "customer initiated data" is a meaningless concept.
Regards, Simon
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
"Chris Hellberg"
With the more active (excuse the pun) NAT devices out there, they can watch for PORT commands in the packet stream and open up the port incoming from the server back to the client.
Actually, how to watch for the FTP PORT command is part of the original NAT RFC, 1631. Any NAT implementation that doesn't (at least as an option) is beneath contempt. And while PORT commands are generally handled correctly, PASV responses often aren't, so an FTP server behind a NAT may require clients to use active FTP. Another reason why FTP *must* *die*. <snarl> -- don --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Thu, 20 Sep 2001, Don Stokes wrote:
Actually, how to watch for the FTP PORT command is part of the original NAT RFC, 1631. Any NAT implementation that doesn't (at least as an option) is beneath contempt.
And while PORT commands are generally handled correctly, PASV responses often aren't, so an FTP server behind a NAT may require clients to use active FTP.
Another reason why FTP *must* *die*. <snarl>
Oh, no! Don and I agree! I'm quite happy to see FTP die too but I'd have say I'd quite like to see NAT share the same fate. It's an ugly hack that only gained a toehold because we have an address space problem on IPv4. The right thing to do is fix the address space limitation! You all know the answer. --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Thu, 20 Sep 2001, Andy Linton wrote:
The right thing to do is fix the address space limitation! You all know the answer.
Kill all the users? --- Matt Camp --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
:: The right thing to do is fix the address space limitation! :: You all know :: the answer. Yes... get rid of this IP crap and go back to FIDOnet. -- Juha --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
Ack! IPv6 :-( RFC 2428 does mention a new port extension for FTP, EPSV ALL, for IPv6 & NAT
-----Original Message----- From: owner-nznog(a)list.waikato.ac.nz [mailto:owner-nznog(a)list.waikato.ac.nz]On Behalf Of Andy Linton Sent: Thursday, 20 September 2001 13:36 To: Don Stokes Cc: Nznog Subject: Re: [jim(a)cyberjunkees.com: Re: FW: Worm probes]
On Thu, 20 Sep 2001, Don Stokes wrote:
Actually, how to watch for the FTP PORT command is part of the original NAT RFC, 1631. Any NAT implementation that doesn't (at least as an option) is beneath contempt.
And while PORT commands are generally handled correctly, PASV responses often aren't, so an FTP server behind a NAT may require clients to use active FTP.
Another reason why FTP *must* *die*. <snarl>
Oh, no! Don and I agree! I'm quite happy to see FTP die too but I'd have say I'd quite like to see NAT share the same fate. It's an ugly hack that only gained a toehold because we have an address space problem on IPv4.
The right thing to do is fix the address space limitation! You all know the answer.
---------
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Thu, Sep 20, 2001 at 01:35:36PM +1200, Andy Linton wrote:
Oh, no! Don and I agree! I'm quite happy to see FTP die too but I'd have say I'd quite like to see NAT share the same fate. It's an ugly hack that only gained a toehold because we have an address space problem on IPv4.
The right thing to do is fix the address space limitation! You all know the answer.
No matter what the downfalls of FTP are - It would be a huge feat to get rid of it. NAT on the otherhand is something that I think can be addressed, and people would flock to whatever solution you had that DID work properly Dean --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
Absolutely. NAT makes encryption a nightmare... IP6? Retrieval of more class B's that were handed out to companies early on would be beneficial. I believe that APNIC is working their way through that... Forget getting rid of FTP... IRC should be first :-)
No matter what the downfalls of FTP are - It would be a huge feat to get rid of it. NAT on the otherhand is something that I think can be addressed, and people would flock to whatever solution you had that DID work properly
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
Forget getting rid of FTP... IRC should be first :-)
Heathen!!! Don't you realise that IRC is an important information gathering tool. IRC indeed... sheesh. [to all those prospective employers] No, I don't idle on IRC all day. Honest. Really. [to Matt Camp] For some stupid reason, the "authorities" (whoever they are) believe that killing is a bad thing, mkay. However there are times when I totally agree with you. The main problem I have is Windows. Now i'm sure there is no such law about killing anything to do with windows. Gavin Grieve Computer Technician type person --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Thu, Sep 20, 2001 at 01:19:57PM +1200, Don Stokes wrote:
Another reason why FTP *must* *die*. <snarl>
-- don
Pfft - good luck on that fight. --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
At 12:40 PM 20/09/01 +1200, Gordon Smith wrote:
Thats why passive FTP is used instead. Active FTP won't work in most networks now. NAT is done at the border firewall/router
Since when does Active FTP not work in most networks ? News to me :) Why would a user want their ISP's border router deciding that they can no longer use PORT mode FTP ? (Or any other arbitrary restriction) No thanks. Regards, Simon
Besides, some protocols like FTP (in PORT mode) initiate the data connection from the _server_ end to the client even though the initial connection and request of the file has come from the client. So "customer initiated data" is a meaningless concept.
Regards, Simon
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
How many commercial customers do you have that are given a real world address for every host within their network? See RFC3027 for information regarding protocol limitations with NAT.
Since when does Active FTP not work in most networks ? News to me :)
Why would a user want their ISP's border router deciding that they can no longer use PORT mode FTP ? (Or any other arbitrary restriction)
No thanks.
Regards, Simon
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
At 01:34 PM 20/09/01 +1200, Gordon Smith wrote:
How many commercial customers do you have that are given a real world address for every host within their network?
I don't quite see the relevance of this, considering the original poster was talking about trying to differentiate "user initiated" traffic from unwanted traffic. I pointed out this was impossible with some protocols and cited PORT mode FTP as one example.
See RFC3027 for information regarding protocol limitations with NAT.
Thanks, but I'm well aquanted with the pro's and con's of NAT, I've been using it in various forms for years, and I'm quite familiar with the operation of "protocol helpers" like the ones that any NAT device worth its salt has for PORT mode FTP... Regards, Simon --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
participants (10)
-
Andy Linton -
cfb -
Chris Hellberg -
Dean Pemberton -
Don Stokes -
Gavin Grieve -
Gordon Smith -
Juha Saarinen -
Matt Camp -
Simon Byrnand