« Upgrades finished! | Main | Minor updates »

Old knowledge makes for bad articles

AppleInsider's article "Apple's secret "Back to My Mac" push behind IPv6" is one of those articles that means well, but contains so many glaring errors that even if they had a point to make, I can't even finish reading the silly thing. I'm not going to deconstruct the entire thing, but let's take a look at two of the most glaring issues.

First, the way "Prince McLean" talks about subnet masking, while somewhat correct, (Apple doesn't "own" any IP addresses. It has the 17.0.0.0/8 netblock assigned to them. That's a more important distinction than you may think) is a bit out of date. McLean talks about "Class A", "Class B" etc., and the problems caused by those classes. That part is correct, the problem is, it's also rather out of date, by about 15 years. In 1993, the IETF came out with RFCs 1518 and 1519, which created what we call "CIDR" or Classless Inter-Domain Routing. It's a mouthfull, but here's the gist:

Prior to CIDR, there were 3 basic levels of netblock assignment:

The problem with this system was when an entity only needed say, 18 addresses. Sure, there were things like partial Class C netblocks, but if you got a Class C block and didn't need/use those addresses, well, you're talking about a lot of waste when you look at the whole Internet.

CIDR dumps the classes for a finer parsing of the subnet mask for address assignment. So the CIDR equivalent of Apple's netblock would be 17.0.0.0/8. This tells me that Apple's netblock starts at 17.0.0.0, and contains 24 bits worth of addresses. Which is the same as the old scheme, so what's the benefit? Well, let's say you're an ISP and a client wants to sign on with you. That client has 4 computers that need "real" Internet IP addresses, and the rest of their computers will be handled via NAT, or network address translation. In that case, you'd give them a netblock that had a /30 mask, or 2 bits worth of addresses. 22 = 4 addresses.

CIDR allowed IANA, the people who really "own" IP addresses, and registries that work with IANA to reclaim a lot of unused IP Addresses, which did much to alleviate the IPv4 address space problem. True, you still have to use a contiguous subnet mask, so if our mythical client needed 6 addresses, you'd either have to give them a /29, or 8 contiguous addresses, or a /30 and a /31. It's not as fine-grained as we might like it to be, but it's a lot better than the old Class system.

So McLean is a bit behind the times with their riff on netblock assignments.

Where McLean really shows a lack of knowledge about the state of the art in network gear is in the part about NAT. I don't know who told them about NATs, but they left out a lot. For example:

Additionally, each hidden system on the inside needs some way to map the ports it uses to the ports of the outside, public address. If the NAT forwards public port 80 web traffic to one internal machine acting as a web server, it can't also forward traffic on port 80 to another machine. This causes problems for any service that wants to use specific ports, including video conferencing, torrent downloads, media streaming, file transfers, screen sharing, and so on, blocking multiple machines hidden behind NAT from being accessible at once over the same customary port.
Well, if the only way to handle traffic through a NAT was at Layer 3, and you could only use IP addresses and ports, that would be more or less correct. However, things have come a long way since traffic management only lived at Layer 3.

McLean leaves out quite a few modern tricks like using DNS to route traffic. Let's say you have three web servers, server1.company.com, server2.company.com,server3.company.com. All of them work on port 80. If traffic management was stuck back 10-15 years ago, you'd have to have all three servers directly exposed to the internet, so they could have "real" IP addresses. There was no effective way to put them behind a NAT. However, nowadays, if you have modern gear, and your DNS servers/routers/firewalls are set correctly, then you can have a set of rules that say: "If you get an http request for server1.company.com, then route that to internalserver1. If you get an http request for server2.company.com, route that to internalserver2, and so on. You can manage traffic by DNS name, protocol, (so you could have HTTP for server1.company.com go to one box and FTP for server1.company.com go to another), or other options. The networking world has come a long way since the days when you all you had was IP address and port.

This bit:

NAT has also become an important part of the external security diapers that are used to protect Microsoft's Windows. Without a layer of NAT in the router's firewall, a Windows PC would expose all number of unsecured ports to public tampering. A remotely addressable Windows PC on the Internet will almost instantly become infected by malicious probes looking for its wide-open back doors.
is just a MacMac diatribe, and should be dismissed as the bullshit it is. NAT does not enable a firewall to protect a network. In fact, you don't need NAT at all for a firewall to work. NAT can add a very thin layer of protection to a network, but really, it's just there to make it cheaper and easier to put a lot of machines on the internet. (You try buying a /18 or higher netblock. That shit ain't cheap) McLean is also rather rigid on their definition of security. If there's no functional or business reason for a machine to have a "real" internet address, then there's no point in giving them one. Putting stuff out on the public internet because you can is stupid. I can shoot myself in the foot. That doesn't make it a good idea.

This paragraph:

Neither NAT nor an external firewall is really required when a computing system is property secured. The security crisis resulting from putting Microsoft's software, which was only ever originally designed to operate within an "assumed to be secure" LAN environment, on the open Internet has resulted in people thinking that PCs shouldn't be publicly addressable for their own good
is just fucking ignorant. Just because your box is "properly secured" doesn't mean it should be directly on the internet. Add the standard MacMac screed, and then dump this paragraph in the can as well.

Basically, McLean is kind of ignorant of modern networking. Some other points:

One big feature is security: all IPv6 traffic can be encrypted via a built-in component of the protocol. There's no need to wrap the old FTP protocol with a layer of encryption or use SSH, no need to turn on SSL to secure the web, no need to encrypt each email or each IM conversation and each video conference. Everything can be encrypted at the network layer in IPv6 using IPSec. This can be automatic and invisible to applications; existing, higher level security protocols such as SSL or TLS require applications to be specifically designed to support them. With IPv6, apps get network encryption "for free."
Translation: "I have no fucking clue as to the other uses of encryption and SSL, but because I don't like them, I'll dismiss them as unnecessary thanks to the magic of IPv6." SSL is also used as a way to prove you are who you say you are, and that the other server is who it says it is. That has value far beyond encryption.

Another one:

However, a real barrier to wide adoption of IPv6 lies with the routers everyone uses; if they are unable to accommodate IPv6 traffic, they will prevent users inside from accessing IPv6 traffic outside, even if their OS supports it. Many commercial routers are just now adding support for IPv6, and many consumer routers don't support it at all.
Maybe that Linksys shit McLean uses is "just now adding support for IPv6", but the grownup routers have had it for some time.

This sentence however shows that McLean really has no clue about the world of networking beyond his home Wi-Fi cloud:

Routers typically run BSD or Linux; Microsoft's software dominance on the desktop isn't even relevant in the world of routers.
No, most routers run IOS, aka Cisco's router OS.

In short, this is a bunch of MacMac poofery from a lamer rumors site, and should not be taken seriously on any level. There's just too many instances of the author not having a fucking clue about the modern state of networking to take him seriously. AKA: Don't get your facts from a site that has no use for them.



Technorati Tags:


Posted by John C. Welch at 17:31 | Permalink


Comments

Now, to be fair the AppleInsider article was aimed more at the home-user crowd, not the enterprise space. I may deal with such gear all day at work (I'm a hosting technical solution architect at IBM), but the vast majority reading this think "Linksys" when they think router, not Cisco. Likewise, none of them have dealt with load balancing (although to be picky, most stuff I see uses cookies for load balancing, not DNS-based routing - what was the last time you saw ftp13.netscape.com?). Even the bits on Class A, Class B, and Class C are still somewhat relevant, as it does provide history as to why so many addresses have been taken up already. Given the target audience it was oversimplified, but reasonably so.

Now, the one thing here I disagree with you on is NAT. NAT is a horrid, horrid kludge that causes all kinds of misery. Any time you deal with multiple NAT's it's a mess, and things tend to break badly (in the consumer space, two people trying to videoconference without UPnP or NAT-PMP; in the enterprise a customer's backend connection being NATed to a hosting address space - but they already NAT internally). I can't begin to describe the pain inflicted by one customer that could not NAT under any circumstances due to their internal network layout (I believe the polite term is "organic growth"). It also screws with firewall rules, load balancing, NIDS, etc, as you expect to see one set of addresses, and suddenly don't.

Anyway. Don't harsh too badly on the guy. It's making a decent effort to educate the masses of why IP6 is needed, and on that count, does a reasonable job.

Posted by: Joshua Ochs Author Profile Page | August 19, 2008 6:46 PM

Now, to be fair the AppleInsider article was aimed more at the home-user crowd, not the enterprise space. I may deal with such gear all day at work (I'm a hosting technical solution architect at IBM), but the vast majority reading this think "Linksys" when they think router, not Cisco. Likewise, none of them have dealt with load balancing (although to be picky, most stuff I see uses cookies for load balancing, not DNS-based routing - what was the last time you saw ftp13.netscape.com?). Even the bits on Class A, Class B, and Class C are still somewhat relevant, as it does provide history as to why so many addresses have been taken up already. Given the target audience it was oversimplified, but reasonably so.
Not just no, but hell now. It wasn't oversimplified, he had his facts wrong. IP Address & Port are not the only way to route traffic behind a NAT. Period. To say or imply so is *wrong*. Not oversimplified, but *incorrect*. It is especially important to be accurate when talking to an audience without expertise in the field, because they are more reliant on the author than someone who knows what's up. This idea that being factually incorrect is okay if you're talking to teh n00bz must be taken out back, shot in the fucking skull, shredded, burnt, buried, and salt sown on the grave.
Now, the one thing here I disagree with you on is NAT. NAT is a horrid, horrid kludge that causes all kinds of misery. Any time you deal with multiple NAT's it's a mess, and things tend to break badly (in the consumer space, two people trying to videoconference without UPnP or NAT-PMP; in the enterprise a customer's backend connection being NATed to a hosting address space - but they already NAT internally). I can't begin to describe the pain inflicted by one customer that could not NAT under any circumstances due to their internal network layout (I believe the polite term is "organic growth"). It also screws with firewall rules, load balancing, NIDS, etc, as you expect to see one set of addresses, and suddenly don't.
NAT done badly sucks. NAT done well with competent administration does not suck. Should we reject every technology that can be run badly and cause pain? In that case, turn off your computer and go sit in a field, because everything in computing is horrid when done wrong. It's like the asinine complaints about Exchange. Ten years ago, sure, Exchange was a shitpile. These days, it's the morons running Exchange causing the problems, not the software itself.
Anyway. Don't harsh too badly on the guy. It's making a decent effort to educate the masses of why IP6 is needed, and on that count, does a reasonable job.
He does nothing of the sort. It's an ad for Back To My Mac, and it ignores the IPv6 applications already running on the Mac. It's also yet another "Blame Windows for everything" screed that sites like AppleInsider et al live for. There are a lot of reasons for IPv6, but Back To My Mac is driving nothing. The U.S. Military, Higher Ed, and China are doing a far better job with that then fucking Back to My Mac.

Posted by: John C. Welch Author Profile Page | August 19, 2008 7:44 PM

When I found out that "Prince McLean" was Daniel Eran Dilger, everything fell into place.

Posted by: Ian Betteridge Author Profile Page | August 21, 2008 2:58 AM

Mr. Welch,

Thanks for showing us your professionalism. Maybe your technical facts are correct, but I'm not listening. It's amazing to me how we have lost our ability to communicate in an emotional manner without using expletives.

By

Posted by: bob witte Author Profile Page | August 22, 2008 3:57 PM

What the fuck, you're whining about profanity? What are you, twelve? Yes, I use profanity. Lots of it. I fucking love profanity. I love to roll in it like Scrooge McFuckingDuck in his money pool.

You know what? If your sole definition of professionalism is the refusal to use profanity on a personal web site, you never had a fucking CLUE about what that word really means. What, you bitch when someone farts in the bathroom?

I also love your reaction: "You didn't talk the way I want the world to talk, so even though your facts are correct, they don't matter. YOU USED A BAD WORD, SO YOU'RE ALWAYS WRONG". What a fucking whiny-assed wussy way to go through life. Here's a clue bob: The world is not going to either act or speak in the way you dictate. Some of us are going to cuss like sailors with a fresh case of drippy-dick, some don't. If you want the world to speak in a manner suitable for high tea with the Queen, then you need to restrict your activities to those situations where you are in fact only ever having high tea with the queen.

No one put a gun at your head and said "READ WELCH'S SHIT! NOW! OR I SHOOT YOUR FUCKING DOG!". Even a slightly casual read of this site would reveal it's a profanity free-for-all, and I'm the profane pied piper of Pejorativetown. So you obviously don't fucking read shit here.

You don't have to like profanity, but telling someone else how to behave in their place? In a completely condescending and rude manner? Yeah...see that large hill behind you? It's the moral high ground you don't have.

Luckily for you, there are other places on the Internet you can go. I suggest you do so, preferably at high speed.

Posted by: John C. Welch Author Profile Page | August 22, 2008 4:15 PM

Oh, this will end well.

Bob, what hathest thou done? Not every medium is graced by a spaghetti cat for every little naughty bit.
Come to think of it, what if we replaced every expletive in this article with a lolcat thumbnail? Hilarity will ensue.
Unless you hate lolcats too? Bob, tell me it ain't true!

Posted by: Super Joe Author Profile Page | August 22, 2008 4:15 PM

Yeah Bob, why do you hate teh kittehs?

Posted by: John C. Welch Author Profile Page | August 22, 2008 4:18 PM

Took me a while to figure out that John Welch is the author of this site. Can't be bothered with an About page?

I nearly dumped on the article starting out with Classes but as John correctly points out, that's long been replaced with CIDR.

Seriously, how does one fuck BackToMyMac? I love my Macs, but can't say I want to fuck them and certainly not over the Net ;-)

So, how exactly does one pierce the NAT "wall" without getting help from the user? Granted, it's nothing like a stateful firewall, but like you point out, it's better than having a fully exposed system when that's not desired.

Posted by: Pecos Bill Author Profile Page | August 22, 2008 8:44 PM

Post a comment

Thanks for signing in, . Now you can comment. (sign out)

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)


Remember me?


digital.forest Where Internet solutions grow

 
Family
The Artwork of Melissa Findley
Diane Francis @ the National Post Eric Francis @ the Calgary Sun
Apple Amazon Links
Apple Mac OS X Server 10.5 [Unlimited]

Apple Mac OS X Server 10.5 [10-Client]

Apple Mac OS X 10.5 Leopard

Apple Mac OS X 10.5 Leopard [5-User Family Pack]

Amazon Book Links
Legacy of Ashes: The History of the CIA

The Donnas: Bitchin'

Wizards at War (The Young Wizards, Book 8)

The Demon's Sermon on the Martial Arts

The Collected Stories of Arthur C. Clarke

JavaScript and Ajax for the Web, Sixth Edition

Awakening Warrior: Revolution in the Ethics of Warfare

FOB Links

Mac Web Writers

Techie Links

Review Victims