Wildcards in reverse DNS

[Clenna Lumina]

> On Thu, Jan 04, 2007 at 02:24:11PM -0800, Clenna Lumina wrote:
> > Mark Andrews wrote:
> > > For those of you who think NAT's are great try connecting
> > > to a port forwarded service from behind a NAT.  I've yet
> > > to see a NAT box do this right.  The NAT box should be
> > > able to loop the traffic around.  Instead we are forced
> > > to kludge solutions to this in the DNS.
> >
> > No, a *properly* behaving NAT should always allow looping
> > back. If you are running a NAT that doesn't allow this,
> > then it is broken. You cannot put down NAT just because
> > of broken implimentations.
>
> Just show me how to do IPSEC AH via NAT. Or how to connect
> to a service that does RFC1413 ident lookups and actually does
> something with the returned value.

My last company I worked for was running IPSEC (VPN, etc) through their 
(properly) NATed firewall without any problems. Again, this is a 
difference between poor implimentations and the concept your self. 
You're attacking the wrong one here.

> Even trying to have a mail server HELO with the right host
> name, regardless of whether the machine connected to is on the
> internal or an external network, is a challenge if NAT is in
> the game.

I can't say I've ever seen that be a problem behind a NAT. The HELO is 
usually generated by the address of the server the connecitng mail 
server is trying to reach, so if it's generating a bad HELO, then thats 
the fault of the foreign mail server, which is likely not configured 
correctly to begin with.

My personal mail server which sits behind my home NAT, has never faield 
to get a proper HELO from proper foreign hosts.

> > > IPv6 is a significant step forward. It has enough address
> > > space the every home can have it's own network with
> > > global address for each device in the home if they want.
> >
> > Yes, but in order to use it you have to turn your network
> > world as you sse it upside down, and for many it doesn't
> > seem worth all that. I think many are just waiting for a
> > much beter soution.
>
> IPv6 _IS_ this much better solution.

It may be.

Just to clear something up, when I said "turn your network world upside 
down" I mean in the way you think about IP addresses and the like, will 
be radically different. You can't tell me that 
11.22.33.44.55.66.77.88.99.AA.BB.CC.DD.EE.FF.00  is the same as typing 
out  111.222.333.444  , be it in geenral speak or entering into a conf 
file or passing along an IP to a friend for setting up a friendly 
private Quake match.

Can you really tell me you can easily remember an address that long? I 
can remebmer a 4 section IP with out any trouble. Remembering an IPv6 
address might be possible, no doubt, but you'd likely have to known it 
rather well, and have a rather good memory.

It's a whole you way of thinking about TCP/IP that going to be a rough 
adjustment for many and while I DO LIKE the advantages (roomy address 
space, using HEX, etc) of IPv6, I really do wish a solutuion could be 
devised to make such adjustments much more easiler.

> > > There are lots of things you can do when you have a
> > > globally routable IP address that you can't do from
> > > behind a NAT.
> >
> > Name one. With properly configured NAT, I've not had one
> > single problem routing things between various servers,
> > no matter what they run.
>
> Then you have not tried a lot of things.
>
> > > Bring on IPv6.
> >
> > Bring on something better, and more compatible with IPv4,
> > please.
>
> You're trying to be washed without getting wet. IPv4's
> fundamental problem is too small address space. IPv6 is
> simply just IP with longer addresses. And it is very compatible.
>
> This whole thread sounds like you're desperately trying to
> find a problem for _your_ solution because you're afraid to
> learn something new.

I'm not afriad to try it. I *have* tried it already. I find the huge 
addresses to be rather big adjustment for someone who has spent all 
their life looking at 4 eight bit number seperated by periods. I didin't 
say it was impossible, however. Hell, I will probably end up enabling 
IPv6 on my home network to try to get a better feel for it.

I just simply wish they didn't deviate so much in how an IP address 
looks like. Even if that's a cosmetic thing, I don't doubt most people 
are used to 123.123.123.123 and that a 16 section HEX string is no where 
near as elegant or easy to pass around (especially verbally) as you 
could with IPv4 addresses.

While that's far from being the most important factor, I think that it 
does carry *SOME* importantance, as people would have to use them, look 
at them, enter them, etc. Entering 4 three digit numbers is a breeze. 
Entering 16 sets instead just wouldn't be the same, you know :)

Actually a couple years ago, after hearing about IPv4 address slowly 
becoming scarce, I actually sort of invisioned IPv4 being expanded in a 
similar way telephone numbers were introduced into area codes (and 
country codes) to furthur divide things. What I envisioned then was 
anywhere for 1 to 4 extra sections (8 byte IPs.)

When I first saw an IPv6, it immediately looked like over kill. Like I 
said, I will be trying it on my own local network to get a real feel for 
it. On this note, are there any good documents out ther that describe 
what the general conventations are for IPv6 IPs? FOr instance, in IPv4, 
192.168/16, 172.16/12, 10/8, are considered LAN-only IP blocks, 127/8 
being loopback block.