* Posts by Vic

5472 posts • joined 7 Dec 2007

Latest F-35 bang seat* mods will stop them breaking pilots' necks, beams US

Vic
Silver badge

Re: minimum weight

In many countries ex-military craft have the ejector seats removed so a civilian pilot can't eject even if (s)he wanted to (explosives being illegal in a non-military craft, etc).

Yes, but there are also countries where that isn't the case. The UK, for example, permits ex-military aircraft to carry original safety equipment.

There's also the issue that being in the aircraft means that pilots tend to take more care about where it ends up when things go ultimately pear-shaped.

If it's time to eject, that's actually a false premise - the pilot has already lost the ability to decide where the aircraft goes. The problem is that civilian pilots often try to fly through this situation - and invariably make the problem worse.

Indeed there have, but a 1 in 4 chance of permanent disability is still far too high for my liking. There are quite a few pilots who've ejected once and are still in cockpits but very few have ejected twice and been able to resume active duties

I suspect your data might be out of date. I fly with several pilots who have ejected many times - being close to ETPS means that several of my acquaintances are former test pilots. I know no-one who has been rendered disabled by ejection. I know several people who have ejected enough times that your 1-in-4 chance should likely have left them so, so I'm afraid I must disbelieve your statistic.

WRT ejector seats and head clamps: Older ones don't. Newer ones do

Do you have a citation for that? I've seen quite a few in-cockpit shots of Typhoon, and I've yet to see anything that could accomplish that.

In any case the F35 was never designed as an air-combat/air-superiority machine. That's a job for the F22.

Well the original description released for the F-35 was that is was a cost-down F-22. Given that the F-22 cost $150M each, this might still be true[1] - but is is a far inferior aircraft for that price tag.

The F35 is one of the most expensive clusterfucks the USA has ever engaged on and it's going to fuck their economy

It is - but look at what the UK has committed to buy as well. It's not just the US economy that buggered...

Vic.

[1] <a href="https://en.wikipedia.org/wiki/Lockheed_Martin_F-35_Lightning_II>Wikipedia</a> reckons the current F-35A costs $98M without engines. Whether this will make it cheaper overall than the F-22 is not a calculation I want to make right now...

0
0
Vic
Silver badge

Re: @Commswonk -- This sounds a bit odd.

Most current aircraft since the 60's/70's have had a "through the canopy" mode such that there is a projection seat over the helmet to allow this

The Canberra is slightly odd here. The pilot (or pilots if you had a T4) has an ejection seat as you would expect - but so does the navigator. This is interesting because the navigator sits behind the pilot, and does not have a canopy over him.

I've yet to discover whether the overhead panel has an explosive jettison, or whether the guy is just slung through it...

Vic.

0
0
Vic
Silver badge

Re: This sounds a bit odd.

The drogue parachute (the only part of the ejector seat relevant to this discussion) fires after the seat starts descending.

No, that's not true.

The seat is lifted from the airframe either by cannon (old-style seat) or rocket (new style, somewhat easier on the pilot). As it lifts, there are two straps (extendible rod-type things) between the seat and the airframe; as they reach full extension, one triggers the barostat to start the chute deployment sequence, and the other fires a rocket which deploys the drogue chute from the headrest.

A cable from the drogue ends in a shackle which is held in a pincer arrangement at the top of the seat. This allows the seat to be suspended from the drogue alone. Once the barostat finishes, the seat chassis is released from the harness (and falls away), and the pincer is released, allowing the drogue to pull out the main parachute.

Any earlier and the seat would just tangle with the drogue before it opened

No. The drogue is fired from the seat (and after the seat has already started moving), and is rocket-powered.

The extra lift given by the rocket assist is to get the seat occupant up to parachute height

Not so. The rocket ejection system is used to spread the total impulse over a longer time period, leading to lower forces acting on the pilot. This makes life easier for the pilot. But the old-style cannon ejectors could get the pilot plenty high enough - just with a risk of damage.

Vic.

0
0
Vic
Silver badge

Re: Is there any other type?

If you are aware of an aircraft which might summarily eject its occupant(s) please give a link. I would be really interested in reading up on it.

The first aircraft I found with command ejection is the F-14. I'm sure there are others...

Vic.

0
0
Vic
Silver badge

Re: Handling the G's

there is a significant maneuverability downside to having an additional half tonne of mass right at the sharp end of the aircraft

Ejection seats aren't anything like that heavy. You can pick one up on your own quite easily.

Vic.

0
0
Vic
Silver badge

Re: Handling the G's

Which is more important, the fact that they are women or the fact that they are shorter ?

Shorter.

The pressure difference between the heart and the head is a multiple of the density of the blood, the current acceleration, and the height. The first is pretty much constant, the second is the acceleration we're talking about, and the third is down to the dimensions of the pilot.

The brain requires a certain pressure to maintain consciousness; the smaller the distance from the heart, the less pressure that heart is required to develop. Thus smaller pliots are more able to handle high-g situations.

Vic.

0
0
Vic
Silver badge

Re: minimum weight

They probably used a very, very simple fault impervious and time proven system like a burning fuse lit by the initial ejection charge

They don't. They use a barostat. This contains a clockwork timer and a diaphragm pressure switch. Deployment is delayed until the timer has expired - so that the seat is clear of the airframe - and until the pressure is high enough. If the pressure is too low, then the seat might be too high, or else it is travelling too fast. In either case, it sits under the drogue until it reaches the correct height & speed, and then a clamp is released which allows the drogue chute cable to pull the main parachute out.

It's quite ingenious really.

Vic.

0
0
Vic
Silver badge

Re: minimum weight

I have, enough to know I'd never want to do it unless there's no other choice.

I was reading an article a while back about that way of thinking; apparently, there is a real problem with civilians flying ex-military aircraft in that they really don't want to eject.

A substantial proportion of pilots who eject spend the rest of their careers flying desks thanks to spinal damage.

I think that might have been true for very early seats, but that was a long time ago. There's been lots of development on ejection seats.

The fact that this is related to the mass of the helmet indicates that this is related to the compression forces generated on cervical vertebrae when the eject rocket fires.

It;s the pilot's mass that is important. To my mind, that implies it's the deceleration on deployment that causes the problem.

Ejector seats clamp the pilot's head to the seat back during eject specifically to ensure that forces are vertical and to prevent whiplash injuries when the chutes open.

Errr - you sure about that? Because none of the seats I've played with do that...

Vic.

0
0
Vic
Silver badge

Re: minimum weight

But delaying the parachute opening allows the seat to slow down a little??? What laws of physics are in operation here?

The seat has a two-stage parachute system: as the seat leaves the airframe, a rocket is fired from the top which putts a drogue chute out.The main chute is delayed by a fixed time delay and an air pressure switch (the barostat), preventing the chute from deploying if the seat is too high or travelling too fast.

Prior to the main chute being deployed, the drogue slows the descent of the seat. Once the barostat has fired, it then pulls the main chute out.

Also, bodies of different masses fall with the same acceleration. Some old Italian dude is credited with that one. So what difference does the pilot's weight make?

By the time the main chute deploys, the seat frame has been thrown away, and only the pilot's weight remains in the harness. The force exerted by the parachute is going to be pretty much constant for a given descent speed, and the resulting acceleration is given by Newton's second law. The heavier the pilot, the lower the deceleration.

Vic.

0
0

IPv4 apocalypse means we just can't measure the internet any more

Vic
Silver badge

Re: And who told you I want to be measured?

Oh $deity, War and Peace again...

You DID get the "we're out of v4 addresses" memo, right?

I got the "last /8s have been allocated to RIRs" memo. Since then I have acquired quite a few static IPv4 addresses.

I notice you didn't even mention all the protocols that aren't TCP and UDP. Those should work too.

I didn't - because I'm not trying to claim that CGNAT is some sort of panacea, it isn't. But many of the things claimed about it are simply bullshit, which is what I responded to. There's no point in discussing this sort of technology if we're going to base everything on wild claims that are not supported by facts and eveidence.

Of course if it wasn't for NAT then they wouldn't have had the ALGs in the first place...

The ALGs only make things worse, not better, so it's a bit of a stretch to make the claim that you have; it would be more appropriate to say that certain manufacturers have made a prize cock-up in their kit. Actually, that's all that needs saying; - those ALGs are simply broken software deployed by someone who didn't know how to do the job properly.

That's not a fair comparison. Either include the cost of setting up NAT on v4, because the phones won't work without it, or don't include the cost of setting the firewall up on v6

OK - fine. Cost of setting up NAT on my network - £0. It was pre-installed. Cost of setting up firewall - I don't know. I've never costed it. But it took effort on my behalf.

So actually - it's a very fair comparison.

Actually, you know, I really can't be arsed to rebut this any further. It's far too late, and I've got better things to do.

Vic.

0
0
Vic
Silver badge

Re: The title is no longer required

Oh well, folks have had NAT on IPv6 since before 2006. Just means no matter what folks say, we already have it.

And that should be the end of it.

With IPv6, no-one should be forced to use NAT. That's a good thing.

But numerous people are trying to *prevent* anyone using NAT. and that's a bad thing.

Give people the freedom to decide for themselves whether or not to NAT, and the progress of IPv6 will be comparatively easy.

But try to enforce dogma that really isn't necessary, and you will get push-back.

Vic,

0
0
Vic
Silver badge

Re: And who told you I want to be measured?

It's honestly really isn't (provided you've picked easy to remember addresses;

Really? How do I pick my prefixes, then? Because the ones I've got were allocated to me by my upstream providers, and they're really not very memorable.

No, what makes it safe is that people can't connect to machines on your network without manually permitting the connection. This isn't something you lose by deploying v6

Yes you do. If the address is routable - as it is with v6 - it will be routed. Thus you have moved from default DENY to default ACCEPT.

Vic.

0
0
Vic
Silver badge

Re: And who told you I want to be measured?

Yeah, I have, and I just tried it again for the sake of argument.

I really doubt that you have.

iptables -t nat -A POSTROUTING --out-interface wan0 -j MASQUERADE

Fine. You've enabled NAT on your outbound connections.

Then I tried the inbound connections again, and... they still worked.

OK - so tell us how you put bogons onto your WAN--side connection.

This is something I could do when I worked for an ISP. It;s not something I can do now. I'd be interested to hear how you did it. If you did it.

You should be able to tell that would happen by inspection of the iptables command though.

No you shouldn't, because what you claim depends on bogons being routed by your ISP (which *never* happens unless your ISP is deliberately doing such) *and* it depends on the behaviour of your WAN-side equipment. These are at least two things over which you ave little, if any, control.

And again, you're doing an unfair comparison. You're assuming that NAT is already set up on the router but that a firewall won't be

I have quite a few pieces of equipment that do exactly that - including the one I'm using right now. Are you trying to tell me that they can't exist?

That's like saying that those people couldn't set up NAT because they can't work out a text editor

Perhaps it is. But as they are already running NAT, that irs an entirely specious argument.

Just like the firewall is.

Is it? Because I see a lot of equipment where that is demonstrably untrue - including the router I am using right now[1]. Am I hallucinating, and actually have everything set up, or are you perhaps wrong?

Vic.,

[1] a Draytek Vigor 2600v. Which does NAT out of the box, but the firewall is almost entirely blank...

0
0
Vic
Silver badge

Re: And who told you I want to be measured?

On your router, and on Windows. Both of those will block inbound connections on v6 by default.

Not on my router,. And I don't have any Windows machines.

But if you're running any services on those machines - e.g. RDP - can you be sure those connections will be blocked? That requires an understanding of the firewall rules - which means additional knowledge over and above what is required to run a NAT router.

Consider what happens if your router gets a packet on its WAN interface with, say, 192.168.1.20 as the destination address. What will it do with it? You can't say the packet has nowhere to go, because it certainly does -- it can go to 192.168.1.20. And that's exactly where it'll go if the router doesn't have a firewall configured to drop the packet.

Have you actually tried this? Because when I did, it was only true for some real shit routers. Now I've not done the experiment for a while, but I actually do doubt your assertion here. And if my ISP is sending bogons, both he and I have got bigger problems.

If you don't believe me, feel free to try it.

I no longer work for an ISP, so I can't.

NAT is no easier or harder to set up than a firewall is

Of course it is. Plug in router, stuff works. Incoming packets are dropped/rejected until such time as a connection is established, at which time they become accepted.

Now try doing that with a simple firewall - changing the rule from DROP to ACCEPT on the basis of the state of outgoing packets. It's possible, but it;s not easy.

If you can't manage one of those then you can't manage the other.

That's simply untrue. There are millions of people in the world doing just fine with NAT. It provides all the protection they seek. Taking that away from them means they have to learn to program a firewall - now you might claim that it's "two rules which you copy/paste from a website", but the vast bulk of these users couldn't even get a text editor to change the correct file. That's the reality of users. And even if you are capable of this, that doesn't mean you are in the majority.

And that's before we go anywhere near whether or not the website has got it right in the first pace; the number of times I've seen someone post a "fix" for a problem that ends up being chmod 777 doesn't bear repeating.

The problem with NAT is that actually running a network with NAT is harder than running one without it, because translating addresses mid-flight is an extra layer of unnecessary complexity to deal with.

It isn't harder, as you can tell by the number of people doing it without even knowing that they are. And if you're doing anything about that translation, you either work for a network appliance vendor or you're doing it wrong.

I run networks that don't use any NAT at all and I still have to deal with NAT (when I help other people or when I write -- or use -- software that's affected by it).

I run networks that do use NAT, and I don't have to deal with it - it just works. If I'm writing software that has to deal with NAT, I just use STUN to cope with it. Stuntman, for example, gives you everything you need.

Vic.

3
0
Vic
Silver badge

Re: How much is a IPv4 address worth

how about because most large ISPs are run by complete sh**s

Fair point.

Given that some ISPs will not give a static IPv4 address, and others will only do it if you pay extra for a business connection AND also charge you extra rent for the address - I see no reason they won't do exactly the same with IPv6.

Given the scarcity of IPv4 addresses, there are *some* grounds for this - although I agree that many ISPs just gouge such customers because they can. But with IPv6, it actually requires more effort on their behalf to allocate dynamically than to do so statically.

Needless to say, I'm with an ISP that costs more, but doesn't do this sort of stuff.

Likewise. AAISP have done a fantastic job for me...

Vic.

0
0
Vic
Silver badge

Re: NAT and firewalling and stuff

Guess why many PC games DO support it?

Well if they do support it, then there's no problem. NAT won't get in the way.

Not AN internet. THE Internet (proper noun)

The Internet is one instance of an internet, and follows all the same principles. That's like saying "THE Cat (proper noun)" when someone has described the features of a cat.

yes that was one of the basic goals: to be able to connect anyone to anyone

Perhaps you'd like to provide a reference for that statement, since it's never been true to my recollection.

Oh? What about carrier-grade NAT? That's definitely NOT the user's choice and prevents the user from choosing to be visible because it's hard to STUN or otherwise route through a carrier-grade NAT, and doubly so if BOTH ends are NAT-ed.

What about carrier-grade NAT? It's trivial to STUN through it. I've done it regularly. And both ends are frequently NATted when you're using STUN. This is an everyday occurrence. Your objection makes as much sense as someone saying "Oh? And what about if someone's using 110V to power their PC?"; it's a total irrelevance.

Vic.

1
0
Vic
Silver badge

Re: And who told you I want to be measured?

I could easily rephrase this to "the majority of people want to be capable of accepting inbound connections in at least some circumstances", and for that we're going to need v6. v4 just isn't going to cut it.

This is simply incorrect. Incoming TCP connections might need some assistance in the event of CGNAT, but UDP doesn't. And if you're looking for the sort of isochronous connections that end-users might generally want - games, VoIP, that sort of thing - then UDP is going to be what you're after. If you want to set up web or mail servers, CGNAT probably isn't for you. But how many of us want to run web or mail servers and don't know how to work around CGNAT?

Behind CGNAT? If not then I suspect that'll be a nasty surprise for you when it happens.

Effectively, yes. My second tier of NAT - which I put on place - gives me the same effect. My first tier probably does - but as I didn't build that, I can't actually be certain without a load of work that I cannot be arsed to do.

And yet - it still works.

Indeed - the only time I've had difficulty with such setups is when the router tries to do something clever; a colleague of mine from years ago use to love putting Juniper kit anywhere he could. I soon found that the best way to use this was to turn off every ALG it offered; they were all crap. Running STUN sorted the problem every single time.

Also... I'm doing this too, on v4. I know it's possible. But I'm also doing it on v6, and I can tell you that it's just easier on v6.

Well, I can install SIP phones on an IPv4 network without a firewall, and they just work. If I install them on an IPv6 network, I must have a firewall to prevent the administration interfaces being visible to the Internet at large. I fail to see how this is "easier".

NAT doesn't seem hard until you get rid of it, and suddenly you realize how much of a pain it really was.

I can't agree with you. I run NAT on my IPv4 network, and not on my IPv6 networks. The IPv4 network takes much less thinking about.

And partly because there's no other choice

Nonsense. There are numerous application that run over IPv4 - there's VoIP that I've already mentioned, or there's BitTorrent, for example. Or any other P2P app - the original Skype? There are choices. They work. Game vendors are not eschewing this technology because it doesn't work, they are preventing it because it doesn't pay.

Do you want it to be _possible_ for a company to release something that isn't trivial to spy on, or not?

That's FUD. The visibility of your data to an attacker is entirely unrelated to the transport mechanism chosen.

Not every company wants all your info (just most), but none of them will have any choice if everybody is behind CGNAT.

No. That's just bollocks. CGNAT does not preclude TLS. Nor, indeed, does it make any difference in either direction to the snoopability of plaintext.

Adding two bytes is exactly as hard as adding 12 bytes.

In protocol terms, yes. In human terms, no. Any time you have to get humans to modify their behaviour in any significant way in order to accommodate a computer, you've almost certainly screwed up.

If you're going to add bytes, you may as well add enough bytes that you don't need to go "whoops, we didn't add enough, we need to go through all that again" later on.

A 64-bit address space with a MAU of /16 would give you individual prefixes for nearly 3x1014 users, with 65K addresses for each. Given that this planet really can't support 1010 people, and that no individual is going to be able to maintain 65K devices, that would have been enough until approximately the time we've colonised 10,000 other worlds. I can't see that happening before Christmas, if I'm honest.

Okay, for starters: DNS. It's awesome and it's been around for years now and it makes your life a lot easier; I really suggest you read up on it.

Until it breaks. Some of us make a living fixing stuff like that; having memorable addresses really does make life easier. Holding more than four numbers in memory at any time is actually quite difficult for dyslexics like myself. Now I know this is my problem, but just claiming "DNS makes it go away" entirely ignores the situation where DNS has gone down. And DNS does go down...

For seconds: why did you pick such an awkward v6 address? If you needed to remember this address you should've picked something easier to remember, like 3ffe:1900:4545:3::2 (read that as "address 2 on subnet 3").

For starters, that's all very well if you know the prefix. But the prefix is the bit that will need memorising; most public addresses are likely to be on low subnet/address pairs, but the prefix is going to be utterly unpredictable. For a MAU, it's a 64-bit number with no memorable cues.

So we all know that Google runs a DNS server on 8.8.8.8. But if you want to do that over IPv6, it's on 2001:4860:4860::8888. They've clearly worked hard to get the repetition into that prefix, but that's still not a number I can carry in my head.

[Of forging local network addresses]

I do like to point out that this isn't completely true: your ISP (or anyone who can strongarm them) can connect to you even if you're behind a NATing router, unless you prevent them with a firewall.

It's quite a few years since I worked for an ISP, but when I did, our experiments with forging LAN addresses on the WAN port only got through to the LAN side on a few really shitty routers. I cannot tell you whether or not that is still the case.

You are free to do this to yourself. I accept your right to make your own life more annoying than it needs to be for no real benefit. Just don't force it on anybody else.

That last is the only thing that actually needs saying; there are many people for whom NAT is a really useful thing. With IPv6, no-one is forced to use NAT, but similarly, no-one should be prevented from using it either. If the High Priests would stop telling us we can't use NAT, most of the objections would disappear...

IPv6 does _not_ take this perimeter away.

Yeah, it does unless you do something to replace the perimeter. A NAT router in front of an RC1918-based LAN gives you a default DENY configuration. An IPv6 router gives you a default ACCEPT. To get the perimeter afforded by the first, you need to add a stateful firewall, which is another piece of equipment that needs maintenance. This is an increase in complexity, which might well be a show-stopper for those not versed in networking.

This is backwards. NAT is the tricky thing to understand; things are a lot easier without it.

It really isn't. NAT might be tricky to understand if you're trying to program it, but the vast majority of users never do that. They just use it, and it just works. If you want them to use firewalls in addition to what they've done before, that's a bunch of new learning they have to do. Now you and I might not think that a big deal - but for substantially all[1] Internet users, that's a huge amount of work that will never happen.

Note that I'm basing this on actual experience, not fear of the unknown like most other people in this thread.

As am I. I am a networking professional and I run both IPv4 and IPv6. But I also have a fair bit of contact with "home users", for whom the transition to IPv6 without NAT will be a total nightmare. Now I could make quite a bit of cash out of that - but I'd rather see standards working for users, rather than the reverse. That will transition us to IPv6 more rapidly, with fewer catastrophes along the way. And the single biggest thing we need to happen is for IPv6 proponents to stop trying to prevent NAT; it's not going to harm you, no-one is going to force it on you, and it will make many people's lives much easier.

Vic.

[1] I was going to write "the vast majority" or somesuch, but it is so close to "everyone" as to make no difference.

4
1
Vic
Silver badge

Re: And who told you I want to be measured?

And now, hopefully, you see what I mean by "the entire point of NAT is to let you make outbound connections which you otherwise wouldn't be able to make"

No - your statement is simply incorrect. What NAT is doing, per your example, is allowing multiple devices to share a single external address. That's a good thing, and it means that being able to make outgoing connections is orthogonal to the firewall permitting it.

Where the NAT situation scores is that any other connection attempt - i.e. an unsolicited inbound connection - simply has nowhere to go. And that is why NAT is such a nice setup for people who don't know about networking - which is most people.

I have no problem at all with people who want to run IPv6 without NAT. That's just dandy, and will work for everyone who knows what they're doing. I have a real problem with people who want to force everyone not to use NAT; it works perfectly well for IPv6, it provides an easy setup for those that don't know how to maintain a firewall, and it is entirely transparent to everyone else.

Vic.

4
0
Vic
Silver badge

Re: NAT and firewalling and stuff

The NAT records this and maintains the relationship for as long as the connection is open. Once it closes, the relationship is removed. Now, this usually only works for stateful TCP-based connections (UDP doesn't work this way so requires something cleverer to deal with it) and only if the connection is initiated from the inside

STUN passes through NAT very easily. It only requires that both endpoints know about each other and are happy to cooperate. This is a very easy way to get a zero-configuration UDP service set up...

Gamers have one of two options. They can either open ports (solution 2) or use solution 1 to establish a bridge connection to a point outside.

Well, if their games were to want to support it, they could also STUN their way through, just the same as we telephony types do. But that would mean that the gamers wouldn't need the games comany's services, and that means a reduction in revenue. Guess why those games don't support it...

the spirit of the Internet is that any connected device should be reachable by any other device if it wishes to

No, I don't think that's true. Any internet is a "network of networks"; the interaction between those networks is at the discretion of the network owners, not the endpoints.

What some are wondering, though, is if the "automatic" shielding can't be achieved simply by offering a firewall with something like a "drop incoming by default, allow outgoing by default" ruleset.

You'd need something a little more complex than that; you'd need to open those incoming ports in response to outgoing operations. Or just run NAT and forget all about it.

We all know that IPv6 doesn't require NAT in the way that IPv4 now does; but the opposition to people using it if they want to is simply irrational. It solves a problem for some people, and doesn't impinge upon anyone else except those that believe they have a right to unfettered access to everyone else's devices.

Vic.

1
0
Vic
Silver badge

Re: And who told you I want to be measured?

There is no downside to v6

There is no downside to v6 if you understand networking. If you don't, Internet use will become much trickier.

Vic.

3
0
Vic
Silver badge

Re: How much is a IPv4 address worth

you will likely get a dynamic /56

Why?

IPv6 gives 264 MAUs, which is enough for one each for up to 1.8x1019 people. Each MAU gives you 1.8x1019 addresses, which is more that I'm likely to need this week.

So the only reason to have more than a /64 is if you're sub-allocating (which most people won't be), and there are more than enough MAUs to have a static allocation.

I would expect the standard allocation to be a static /64; is there reason to suspect something else?

Vic.

0
0
Vic
Silver badge

Re: Genuine query

are there genuine tools (pen test i suppose) that i could use to test that my home setup is secure/insecure, from a WAN perspective?

Go to grc.com, fight your way through the adverts for his other products, and look for "Shields Up". This will scan your WAN address.

Take everything else you find there with a pinch of salt; Steve Gibson is one of those people who knows quite a bit about some things, is massively deluded about others, and it's often hard to tell which is which.,..

Vic.

0
0
Vic
Silver badge

Re: The mythical NAT router firewall

NAT, router and firewall are three different functions.

Yes.

They're often found in the same box, but they are separate.

Yes.

It isn't NAT that blocks incoming crap. It's the firewall function

No.

It is NAT that provides the first line of defence; if there is no port forwarding defined, then an unsolicited connection simply cannot be forwarded, as the NAT router has no idea what to do with that packet. This is how the vast majority of Internet users have their networks configured.

Firewalls give you a furtherl ine of defence - and a more effective one as well. But they require far more knowledge to maintain, and the majoprity of users simply do not have that knowledge.

Until you acknowledge that it is NAT that is shielding most users and not a firewall, you will not understand the objections raised against you. And nor will you get buy-in from users that don't want to have to learn about firewall configuration just to keep doing what they are currently doing.

Now it's up to you whether or not you want to continue patronising those who disagree with you, but there is an important point here that you simply haven't understood. Where you go with that is entirely up to you.

Vic.

4
0
Vic
Silver badge

Re: And who told you I want to be measured?

NAT is not a security measure

Yes it is.

Millions of users around the world have their ports shielded by a NAT router that does not know how to route unsolicited connection requests. I don't care how many times you tell me it doesn't provide any security - it fucking does. There are better ways of doing the job, but that doesn't meant the technique has no merit.

A standard firewall rules base is more than effective enough on its own, irrespective of the version of IP passing through it.

It ids, but only if you have someone capable of maintaining those rules. Without that knowledge, you either have a user largely disconnected form the Internet, or you have a bunch of open ports (perhaps all of them) that should not be so exposed. And the number of people on the Internet who cannot maintain a set of firewall rules is orders of magnitude higher than the number who can.

Removing NAT is also quicker as there is one less layer of translation to have to go through.

Who cares? Dealing wih NAT might have been a problem 15 years ago, but it isn't any more. We plug boxes in and they work. That;s all that matters.

Vic.

7
2
Vic
Silver badge

Re: I don't want to be measured!

Imagine a version of Skype where the calls go directly to the other party, rather than through a Microsoft server

What, like SIP?

I've been using that for years. My wired phones trivially get through my NAT router to make this work. My wireless phones have to go through two layers of NAT. And yet it just works...

Vic.

4
0
Vic
Silver badge

Re: And who told you I want to be measured?

My understanding is that V6 allows a version of the LAN address to get out as the return address for the connection

Each device will have several addresses - e.g. one for link-local work, and another for Internet connection. The latter is the one that will be seen by external servers.

So the manufacturer can be detected

No. The MAC address is *one way* to form link-local addresses, but it is not mandatory to use that method. And the link-local address does not leave the LAN.

the number of different addresses used from my subnet gives an indication as to how many devices I have

Technically, yes, I suppose. But there's no need for addresses to be allocated sequentially - indeed, for privacy reasons, that's unlikely to be the case. Enumerating your devices is going to be very difficult.

Vic.

0
0
Vic
Silver badge

Re: @Novex

my IPv6 address is an /128 one.

The Minimum Allocation Unit for IPv6 is a /64; it's not standard-compliant to allocate any less.

That's probably why you've got no IPv6 on the inside; it's not a valid network configuration.

Vic.

1
0
Vic
Silver badge

Re: And who told you I want to be measured?

Oh good grief. v6 "high priest" here

And therein lies your disconnect with those who disagree with you: you understand the networking concepts. You need to consider the position of those who have no idea what an IP protocol is - neither v4 nor v6. That's most of the Internet users in the world, buy a significant margin.

There is absolutely no reason to make things difficult for people who do need inbound connections.

Yes there is. The majority of users do not want inbound connections - or when they do, they want those connections very carefully controlled. At present, with IPv4, they've got that; the default is for connections to be denied, with explicit work required to enable them. Moving to an IPv6 stack without further work reverses that - connections are enabled by default, with work required to disable them. That's not what most users want.

everything _has_ to talk to the cloud because peer-to-peer communication is so difficult on v4 with all the NAT

So the High Priests keep telling me. And yet, here I am, running peer-to-peer communication through at least one layer of NAT (two for my wireless devices). And the only work *I* did to get that working was to set up the second layer of NAT; most users wouldn't want my network topology.

That's why all the IoT stuff ends up bouncing through a server owned by the company.

It isn't. That's partly because it's the zero-configuration option, and partly because it's how the IoT companies monetise their marks.

Most people with v6 see about 30-60% of their traffic go over v6.

That's going to depend on what you're doing. I've seen negligible traffic over IPv6. I might even take it down.

As a side note: ugh Sixxs and their "ban you for anything" attitude

With you on that. Having to earn reputation to get anywhere (so it's some while before you can get an allocation) meant that my first tunnel was through Hurricane (who were much more helpful). Having to trade that reputation to change my tunnel IP address when I changed ISP. And now they won't even offer allocations. Looks like they actually *want* to become irrelevant...

Even when stuff does work, it's because the software author has spent time dealing with NAT-related issues

Not really. Very little of that sort of code is written from scratch any more - there are many code fragments and examples freely available. It's a solved problem.

NAT traversal often involves running a server to bounce through, which costs money to run (which could otherwise be funneled into more development work on the software) and also is a nice easy place to monitor whatever you're doing with the software.

Running a STUN server is a trivial matter; there's hardly any cost involved. And there are many already available at no cost, as it's such a trivial addition to add to an already-running server.

But it's not going to monitor what you're doing because there's no application data in it; all STUN gives you is your external IP address and your NAT type. And that's all you need.

NAT is one of the reasons that games often don't let you run your own dedicated servers any more.

It really isn't. Those servers are the subscription revenue stream for the games company. They represent real money. That's why you can't run your own any more.

This is actually exactly the opposite of what NAT does; it inherently decreases your security, because the entire point of NAT is to let you make outbound connections which you otherwise wouldn't be able to make

That's incorrect. You are perfectly able to make outgoing connections on a non-NATted connection as well; it is the firewall that prevents such outgoing traffic - and setting up a firewall for a NATted IPv4 connection is just the same as for a non-NATted IPv6 connection.

And that's the crux of the problem: moving to IPv6 means that end-users are going to *have* to be able to configure firewalls, or else they default to wide-open. And the vast bulk of the world's Internet users are not capable of that.

Vic.

11
0
Vic
Silver badge

Re: And who told you I want to be measured?

If the industry wants me to adopt IPv6, then give me a translation router that: allows my v4 network to work internally

That's not completely possible, although at present most of it will work.

The IPv4 address space is entirely mapped within the IPv6 space, so you could exchange data with any machine in IPv4 space over an IPv6 connection. But as time goes by, more and more systems will take up residency in IPv6 addresses that simply cannot be mapped into IPv4.

That's quite a way away. Most of the IPv6-only services at present are set up by IPv6 proponents who want to offer differentiated services.

Vic.

0
1

She cannae take it, Captain Kirk! USS Zumwalt breaks down

Vic
Silver badge

Re: Which would win in a fight...

between a Zumwalt and an F-35?

No-score draw?

Vic.

0
0
Vic
Silver badge

Re: OK it looks small to radar

Try getting a field howitzer within 20k of it. Betcha can't.

Time to rebuild M1?

Vic.

1
0

Lethal 4-hour-erection-causing spiders spill out of bunch of ASDA bananas

Vic
Silver badge

Re: Cadburys

If this had happened to one of their products, we'd be coming over all Ziggy Stardust now.

<jarvis> Now that's the last thing I'd want to happen </jarvis>

Vic.

0
0

BT's Wi-Fi Extender works great – at extending your password to hackers

Vic
Silver badge

Re: BT thanked Pen Test Partners for flagging software weaknesses

This keeps happening too often to be accidental. I figure most all manufacturers of networking kit include such as a condition of staying in business.

I very much doubt that. We'd have had whistle-blowers if it were true - this isn't highly paid work with awesome staff loyalty.

What you have is lashed-together kit based on a reference design that's rushed out the door with minimal and ineffective testing. And we're not going to see a change in that without at least one of the following happening :-

  • Companies take a significant penalty for releassing shoddy kit. Such penalties should apply personally to the management that allowed it out
  • The industry needs to stop thinking of testing as an inferior task to developing new code; if you do the job correctly, it is your testers that prove you've written the right code, and these should be your best engineers, not your worst ones

Oooh look! What's that up in the sky? Big pink thing, curly tail, goes "oink".

Vic.

0
0

Uncle Sam rules on self-driving cars

Vic
Silver badge

And here I was thinking it was due to the equivalent of trying to pack 10 pounds of shit in a 5 pound bag.

Ultimately it becomes so - but the only reason we've got the 5 pound bag is because some fucknugget insist on driving 10mph below the speed limit in the middle lane. If it weren't for that, we'd have a 15-pound bag...

Vic.

1
0
Vic
Silver badge

Re: In the UK...

Trafficators?

How old are you, exactly?

I used to have an A30 with trafficators...

Vic.

0
0
Vic
Silver badge

So self-driving cars don't get stuck in traffic like ordinary cars?

Most traffic jams are caused by people doing unbelievably selfish things. Like slowing down to look at a crash on the side of the road. Or fighting to make sure you get into the merge before the guy in the other lane, despite it being his turn if you were to apply "merge in turn" rules.

By doing away with such petty behaviour, traffic jams will be significantly reduced.

Vic.

0
0

HP Inc's rinky-dink ink stink: Unofficial cartridges, official refills spurned by printer DRM

Vic
Silver badge

Re: I too gave up on inkjets..

How does dry inorganic polymer powder in a sealed cartridge reach end of life?

Like most dry powders, toner is hygroscopic. Over time, the absorption of water causes the toner particles to clump together, leading to blurring and smudging, if not worse.

I'm not sure that's a reason to refuse to print, though...

Vic.

0
0
Vic
Silver badge

Re: Laser please...

ink doesn't run if it gets wet (as I use printed maps outdoors, that's important).

I use a laminator. I can print out tables for a specific dive plan and take them underwater with me.

So far, none of them have leaked...

Vic.

1
0

Italian scientists use fluorescent box to arouse sexually indifferent men

Vic
Silver badge

This is all fine and dandy, but when are they going to start finding ways to get the ladies interested as well?

Alcohol. Getting ugly blokes laid for seven millenia...

Vic.

5
0

IPv6 now faster than IPv4 when visiting 20% of top websites – and just as fast for the rest

Vic
Silver badge

Re: 20% is not noticable

That is the job of a firewall

Yes. Now try to get your average home user to understand how to program a firewall. What will happen is that it gets switched off, because that "makes it work".

Repeat after me: NAT is not a firewall.

However often you repeat your mantra, it affords a deal of protection for those that do not understand networking. Taking that protection away - even if there are better systems - does not improve anyone's life; to use those better systems requires an amount of understanding that most computer users just do not have.

Vic.

1
0

Let's Encrypt won its Comodo trademark battle – but now fan tools must rename

Vic
Silver badge

(ClamAV does not do on-access.)

It does on Linux.

Vic.

0
0

Two Sundays wrecked by boss who couldn't use a calendar

Vic
Silver badge

Re: Powering up in the right order

Networked PDU's aren't that specialised. Each socket can be controlled by sending commands over ssh.

At least one popular brand also responds to SNMP. There's some fun waiting to happen if you get an intruder on the network for a while...

Vic.

0
0
Vic
Silver badge

Re: Powering up in the right order

The problem with this is that it is an incredibly complex problem to solve (you have to define all of the hardware and software dependencies in order to allow the systems to restart in the correct order)

It's not *that* complex; I've done it a number of times. Puppet is my tool of choice.

The tricky bit is coping with failure - and importantly, what happens when your primary machine for a particular service takes so long to boot that the secondary has already started doing the job. These things take a bit of thinking about...

The trick, as ever, is to keep everything as simple as possible. And no simpler.

Vic.

2
0
Vic
Silver badge

Re: At least make sure your contract include TOIL

i asked for a clause about inventions to be removed

I had to get a clause removed when I went contracting a few years back.

They offered me their "standard" contract, which required that I give them the copyrights to any software I used. I told them I couldn't do that - and nor could anyone else.

What they wanted was the copyright to anything I wrote - which was completely reasonable. But the contract as worded would require me to furnish them with the copyrights to both GNU/Linux and MS Windows, since I wrote for both.

There were many contractors at this company. Apparently, I was the first ever to require a change to the contract (and I got it).

Vic.

4
0

Alleged hacker Lauri Love loses extradition case. Judge: Suicide safeguards in place

Vic
Silver badge

Re: Controversial

Even if the door is left open, the key is in the ignition and there's a sign going "steal this" - it's still stealing.

Your hyperbole goes too far.

Stealing, in the UK, is defined by the Theft Act 1968. It has a tricky bit about an intent permanently to deprive, which makes it a difficult offence to prove when it comes to nicking cars. Thus the Act has Section 12, covering Taking Without Consent.

Leaving a car in the condition you describe is likely to be seen as consenting to its being taken, meaning TWOC would not apply.

Vic.

7
1

National Cyber Security Centre to shift UK to 'active' defence

Vic
Silver badge

Re: Lawful?

Without wanting to detract from your main point,

Deliberately tampering with infrastructure such as traffic lights should be avoided, but failing this then if targeting shared infrastructure then they should be disabled totally, and not set them up to occasionally all show green, etc.

Forcing traffic lights to all-green is actually just an annoyance; it's not dangerous, despite what you see in the movies. Each signal controller is fitted with a separate watchdog unit which will detect such conflicts. The watchdog is a simple device which cannot be defeated by configuration - it's basically a wired-OR function. And when it trips, it takes out the fuse to the signal group, causing all the signal heads to turn off.

Having junctions that are normally signal-controlled suddenly becoming uncontrolled isn't great for traffic management, but that's a whole lot safer than having conflicting greens...

Vic.

1
0

Teenage noughties protocol BitTorrent reinvents itself again

Vic
Silver badge

Re: Rsync

I've always thought there should a system where spare capacity (assignable as percentage of free space for example) on workstation / laptop hard disks could be used in some kind of network raid storage used for onsite backups

HDFS does that...

Vic.

0
0

Azure is on fire, your DNS is terrified

Vic
Silver badge

Re: High availability

Two hours of downtime during the six months we've been using Azure to host our product. Seems pretty reasonable to me

Really?

I'd have been devastated if I were running that setup.

Vic.

0
0

Pains us to run an Apple article without the words 'fined', 'guilty' or 'on fire' in it, but here we are

Vic
Silver badge

Re: Water to 30 meters, but what about SALT water??

But there are plenty plainish watches that don't really scream dive watch

Mine looks like this. Pretty unobtrusive, although it did get spotted at an airfield the other day by another diver.

plus I don't have to worry to much about it ever getting wet and taking it off, useful if snorkeling versus leaving it on a beach for example

Yep. Mine stays on my wrist unless the strap breaks or the battery goes flat. That's when my backup watch comes out. I've never taken that one underwater, though.

Vic.

1
0
Vic
Silver badge

Re: Water to 30 meters, but what about SALT water??

Then how do you do your deco calcs?

DDPlan. Written by a Gentleman of this Parish.

Vic.

0
0

Forums