May 08, 2004

How the Internet is broken, how to fix it, and why that's not going to happen

The Internet is broken. Not in a "I-put-the-Internet-in-the-recycle-bin" kind of way, in the "data-won't-go-from-one-computer-to-the-other" way. You probably don't believe me, which is understandable considering that you're reading this over the Internet. Let's try a little experiment.

Chances are you're behind a router. Open up AOL Instant Messanger (or a reasonable facsimile) and try to send a file to someone else behind a cable modem. Chances are it won't work, because the Internet is broken. This is one example, there are plenty others. Enabling computers to talk to each other is the fundamental purpose of the Internet, but as it stands personal computers have to go through servers to talk to each other.

What's happened is these NAT routers that enable multiple computers to connect to a single cable modem aren't a perfect solution. They're a horrible solution, in fact. The networking equivalent of using water in your radiator - it'll work in the short term but come winter your pipes will explode. John Walker, creator of AutoDesk, has written about this and other threats to the Internet in The Digital Impimatur.

The typical home user never notices NAT; it just works. But that user is no longer a peer of all other Internet users as the original architecture of the network intended. In particular, the home user behind a NAT box has been relegated to the role of a consumer of Internet services. Such a user cannot create a Web site on their broadband connection, since the NAT box will not permit inbound connections from external sites. Nor can the user set up true peer to peer connections with other users behind NAT boxes, as there's an insuperable chicken and egg problem creating a bidirectional connection between them.

Sites with persistent, unrestricted Internet connections now constitute a privileged class, able to use the Internet in ways a consumer site cannot. They can set up servers, create new kinds of Internet services, establish peer to peer connections with other sites--employ the Internet in all of the ways it was originally intended to be used. We might term these sites "publishers" or "broadcasters", with the NATted/firewalled home users their consumers or audience.

There's a lot of things that you can do with an Internet connection that you can't do with a NAT connection - for instance sites like LegalTorrents give preferential treatment to people on Internet connections and gamers behind NAT connections can't host games. So why do people use NAT routers?

Most ISPs only give their customers 1 IP address, which allows a computer to communicate on the Internet. If you want to hook up more than one computer, you either need to buy a NAT router or more IP addresses, assuming that your Internet provider even offers them. ISPs are only stingy with IPs because IP addresses aren't as plentiful as they once were.

Routers typically assign their computers addresses that start with 192.168, 172.16 or 10. These are parts of the Internet dead zone - it's impossible to communicate across the Internet to these addresses. Since you can't reach them, routers use them as private addresses. So even though your computer has an IP address 192.168.0.2 and your friend's computer is 192.168.0.3 they can't talk to each other because they're on private networks. That's why your file transfer fails.

The current system the Internet uses is IP version 4, which is limited to roughly 4 billion addresses, give or take. While that seems like a lot, think of how many IP addresses you personally have. There's your computer at home, your computer at work, your cell phone (yup, they have IPs), your TiVo (it updates over the Internet) or your XBox or your PocketPC or anything else that uses the Internet. Suddenly 6 billion people sharing 4 billion addresses doesn't seem that plentiful.

It seems odd that something as ethereal and arbitrary as IP numbers could be scarce. After all, if we run out can't we just make more? Unfortunately, that would be a bit like printing your own form of currency when your run out of money. No one would know what to do with the new stuff, so it would be worthless. What's needed is a new set of IP numbers that have enough addresses for now and the future. Geeks reading this already know what I'm getting to: IPv6.

IPv6 has roughly 1,200,000,000,000,000,000,000,000 addresses to IPv4's 4,000,000,000 addresses. If we used IPv6 instead of IPv4, every computer on the Internet would have its own IP address and we could freely send files or host games on our XBoxes or do any number of things that come with being a real Internet citizen. Great, so where do you sign up? Not so fast.

The good news is that most operating systems support IPv6 - Windows XP and 2000, Mac OS X and (unsurprisingly) Linux. Unfortunately, there's a bit of a chicken and egg problem with IPv6. IPv6 doesn't have backwards compatibility built in, so people on IPv6 networks can't talk to the IPv4 Internet. Since few people are using it, there aren't many services for it. And since there aren't many services for it, few people are using it. The NAT router solution is "good enough" for most people, and they don't know that things could be better.

OK, hopefully I've convinced you that there is a problem with the Internet. Luckily, there's a way to slowly migrate from IPv4 to IPv6 - upgrade Linksys NAT routers.

While I can't find the market data, my own experiences tell me that Linksys is the most popular NAT router provider for people on home broadband. They pick up one of Linksys' little purple boxes, plug it in and it works. They make a quality product and its hard to argue with that.

There's a program called 6to4 that will allow IPv6 networks to talk to each other through a gateway. If Linksys were to start installing this software by default on their routers and providing a gateway to connect their users, this would jump start the IPv6 revolution.

If they included IPv6 software, not much would be different from the perspective of users. People would still just plug it in and it would still just work, but it would also be assigning compatible computers IPv6 addresses in addition to those 192.168 IPv4 addresses. That would provide enough of a market to get a few niche applications ported. Suddenly people who were using IPv6 AIM would be able to transfer files, or IPv6 XBox Live would allow anyone to host a game. That would be enough to drive the push to IPv6, and within a few years cable and DSL providers would start offering IPv6 addresses.

Now I like to think I'm a pretty smart guy, but the people over at Linksys are much smarter than me, especially when it comes to networking. They've most likely thought of exactly this plan (if they haven't they are more than welcome to implement it with my blessings). So why haven't we seen any movement on this front?

Linksys is the biggest provider of NAT routers, and NAT routers are a huge part of Linksys's customers. When IPv6 finally comes into its own, no one will need routers. That will put a huge dent in the bottom line, and could possibly shut them down. So what incentive does Linksys have to take the initiative on this front, if IPv6 will ruin their business? To me, it seems like a classic market faliure (unlike QWERTY) and I have serious doubts as to whether we'll ever get IPv6 addresses.

Posted by george at May 8, 2004 03:22 PM
Comments and TrackBacks

TrackBack URL: http://mt.gnerd.net/mt-gnerd-tb.cgi/273

Just out of curiosity I installed the Linksys WRT54g userspace distribution on my parents' WRT54g, and found it quite entertaining to browse around.

Interesting aspects of it:
- it runs an embedded ASP-capable httpd, which actually appears to be a customized ASP dialect (I don't know why they didn't use PHP or Tcl instead)
- Linksys didn't actually write the code; it was done by a company called CyberTAN
- This amusing notice appears in the top of it:

This is UNPUBLISHED PROPRIETARY SOURCE CODE of CyberTAN Inc. the contents of this file may not be disclosed to third parties, copied or duplicated in any form without the prior written permission of CyberTAN Inc.

This software should be used as a reference only, and it not
intended for production use!


- CyberTAN doesn't deem it necessary to follow the LFS, and I have no idea where the inittab (if any) lives.
- There is a tftpd instance running all the time. No idea why.
- It also has a daemon for listening to the reset button. Which means that if the device were to crash, the reset button probably wouldn't do much good...

Also, the Linux user tools distribution opens up the telnetd port to the entire world, and of course there's no user auth on it. Not that a kiddie can do that much with a root shell on it anyway, but still.

Anyway, somewhere in that ramble I forgot how this had anything to do with the IPv6 stuff, except maybe I was going to say something like how it's conceivably possible to install 6to4 on it yourself or something. But oh well.

Posted by: fluffy at May 8, 2004 04:22 PM

I like the idea of home router companies implementing IPv6. That seems like a novel idea, George.

Oh, and if you wanna possibly get more technical, These home routers implement PAT, moreso than NAT. The term Network Address Translation was concocted to describe using a pool of Routable IP addresses to translate for internal addresses. Technically, NAT is a 1 to 1 mapping of internal to external address. The Politically Correct Term, PAT, stands for Port Address Translation.

If true NAT was implemented, with a pool of routable addresses, you would be able to do files transfers without the current problems. Today, AOL and MSN provide a rudimentary intermediary service that sometimes works for direct connecting, i think.

This doesn't change the overall idea you presented, though. I think the driving force for IPv6 might just end up being, "Hey! Japan already did it!".

How long have Quake3 and other gaming servers been offered via IPv6? I recall noticing that the Quake III demo was offered on some IPv6 servers for special people to download without problem.

Posted by: gabe at May 8, 2004 07:32 PM

While this definitely should be a concern to those who really understand the power and potential of the Internet, there is one positive side-effect to so many machines hiding behind NATing routers -- security. A NAT router typically acts like a packet-filtering firewall that keeps pretty much all machines behind it safe from the common automated attacks and worms. This is an accident of circumstance, but does help keep many machines from unwittingly spewing infectious trash onto the 'net.

Posted by: sst at May 10, 2004 09:37 AM

Yes. It will keep them from geting infected. It is one more obstacle for a virus to bypass.

But as soon as a laptop that is already infected, or an e-mail executable is installed behind the NAT, then it gots right to spewing said traffic.

Posted by: Gabe at May 10, 2004 01:53 PM

Couple questions, since you piqued my interest:
I do, in fact, have a Linksys router at my home. Is there any way to install the IPv6 software on it, or would that sort of thing have to be hardwired in?
Second, the reason I use a router is because I have just one cable coming out of the wall. I need some way to make two computers use it. I would imagine most people have a similar experience. Though, possibly, this is because my ISP would charge me for another connection, they'd have to use some sort of splitter or router as well, so wouldn't the problem be the same? Unless I had another physical cable? Am I just not getting it? I'd figure that even with IPv6, I'd need a router for home use. What would Linksys have to lose?
js

Posted by: js at May 11, 2004 08:47 AM

Josh - I think a few of the truely hardcore hack their Linksys routers' firmware, but for you and me there isn't much we can do.

Switches provide a way to "split" the network connection, but since Comcast only gives us one IP address that address needs to be shared between computers. NAT routers typically include a 4 or 8 port switch, which is what you plug your computers into.

With IPv6 people would no longer need expensive NAT routers and could go with cheaper switches.

Posted by: George at May 11, 2004 09:10 AM

Answer- Sell more switches cheaper. Encourage people to have more than one computer at home. Some people will still use the router functions, for security concerns or whatever, and others will have the option to host whatever they want.
Bingo, I just fixed the internet (with an glibly over-simplistic model! Where's my venture capital?)
js

Posted by: js at May 13, 2004 08:14 PM

I have a NAT/PAT router with wireless built in. I have game servers/WEB servers/ and file servers all running behind 1 IP address. All accessable via the web. All very secure behind my router. Hasn't anyone heard of port forwarding? I am currently doing everything that you say is impossible without IPv6. I don't any trouble with sending/receiving files. Is my internet the only one not broken?

MAB

Posted by: MAB at May 15, 2004 03:12 PM

MAB - you're running multiple webservers behind a single IP on port 80? The reason I stipulate port 80 is because it's the standard port for HTTP. Standard ports are important because they tell clients what to connect to, and NAT/PAT can only forward a port to a single masqueraded IP address as far as I know. AIM has to know what port on a remote computer it needs to connect to in order to send a file, the standard port.

The alternative would be for everyone to publish the port forwarding port they set up in their NAT router. Can you imagine having to put in your username, password and file transfer port to sign into AIM? That's not something my mom is going to understand, that's broken.

Posted by: George Hotelling at May 15, 2004 04:07 PM

George, I don't know what your broadband services (e.g. DSL, cable, etc.) are like where you are, but here in Australia you always need some kind of terminal adapter equivalent, e.g. the DSL modem, the cable modem, to handle the PPPoE or analogous session oriented protocol over the wide area link.

The point is that these home gateway devices do that on behalf of all the other devices in the home. They still do that, and act as a router, even if using IPv6. They'll still want to provide a controllable firewall, even with IPv6, and all the other features. It is only NAT / NPAT that they are dropping.

Posted by: Roger Venning at May 25, 2004 01:24 PM

George,
Yes, I am actually running multiple webservers on a single IP address on port 80. Amazing? Not really. Apparently you aren't familiar with a handy technology that is generically referred to as reverse proxy. It enables multiple masqueraded servers to operate and serve the same external IP/Port combo, and it is completely invisible to the web site visitors. This might explain why you think the internet is broken.

It also explains why you think the internet is broken if you measure it by whether or not your mother could figure it out. My mother couldn't figure out AIM under IPv4 or v6, what does that mean? It means my mother won't be sharing files on AIM any time soon. But it doesn't mean anything is broken.

Admittedly, IPv6 would revolutionize the way we use the internet. Perhaps IPv6 would even make the internet easy enough for you to use. :)

MAB

Posted by: MAB at May 25, 2004 07:57 PM

OK, I'll give you the reverse proxy. Since I only use them for hiding non-Apache web servers behind Apache I (admittedly mistakenly) didn't consider it for my challenge.

Unfortunately that's an HTTP-specific solution, it doesn't work for TOC or Oscar protocols. If all you think the Internet should do is serve up web pages then mod_proxy fixes the Internet (assuming everyone has access to run a reverse HTTP proxy on their NAT routers). Personally, I want a World of Ends where new protocols that use the power of the Internet can be deployed on desktops and servers alike.

As for who's mom could beat up whom, it turns out that my mother can figure out how to send files over AIM but she can't figure out how to configure her router to allow her to. I think that if the router is preventing her from sending files, that falls in the realm of broken.

Posted by: George Hotelling at May 25, 2004 08:09 PM

George,

In this case it is an HTTP specific solution only because that happens to be the only solution I need at this time. Im sure there is a similar application that understands and correctly disseminates other protocols. As for the world of ends, while incredibly romantic (to us nerds that is), its not necessarily ideal in all circumstances. I think that if the natural "barriers" (routers) present in IPv4 were removed with the implementation of IPv6, we would have to erect unnatural barriers in order to offer the same level of security we have now. Not only would communication and file/data transmission get simpler and easier, so would the spread of worms, viruses, and other malicious code. I would love it if I could leave my front door of my house open all the time. It would make it easier for the pizza delivery man, my friends and family visitors, etc. However, in doing so I make my home incredibly unsafe.

Lastly,
You may claim that your mothers router has problems but her innability to configure it is just not grounds to call any services that it provides as broken.
If that were the case, My dads TV service is broken because he can't work his VCR.

Surely you see this.

BTW: Whether or not I agree with your assessment, I thank you for a column interesting enough to spur some thought provoking posts.

MAB

Posted by: MAB at May 25, 2004 09:00 PM

As I read through the unknown number of post replies counter replies, I am brought to one conclusion. I am on a DSL modem. I have 8 computers behind a Linksys router. I have not only configured it so I can get to my Web (http) server but also my FTP server. And for added challenge I also configured my VPN Gateway behind a NAT. My Linksys "Router" NATs all of my IP ports to an internal address that is running my web, ftp, and vpn gateway. I could allow any other services I wanted but I have chosen to lock down all other unwanted ports. As for IM file sends... Well that is just a poor implementation of a ftp replacement. It isn't the Internet that is broken it is the application. I am a computer professional and I enjoyed setting up my home network so that I have complete access to all of my home computer systems with the right software username and password. What it seems to me is that everyone is mad that it isn't free. Well someone has to pay the programmers for writing and compiling all that code.

Sincerely
Thomas Simmons

Posted by: Thomas Simmons at June 24, 2004 10:46 PM

Sorry, comments are closed.