[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: NAT support and laws for the lawless

To: "Hallam-Baker, Phillip" <pbaker@xxxxxxxxxxxx>
Subject: RE: NAT support and laws for the lawless
From: Stephen Kent <kent@xxxxxxx>
Date: Mon, 4 Mar 2002 15:55:35 -0500
Cc: Joe Touch <touch@xxxxxxx>, "Hallam-Baker, Phillip" <pbaker@xxxxxxxxxxxx>, ipsec mailling list <ipsec@xxxxxxxxxxxxxxxxx>
In-reply-to: <>
References: <>
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx

At 1:59 PM -0800 3/1/02, Hallam-Baker, Phillip wrote:

> Hallam-Baker, Phillip wrote:

 > People appear to be so caught up in whether we should be
 supporting NAT that
 > the issue of how to support NAT is forgotten about.

 Agreed. However, at some point we're writing laws for the
 lawless. NATs
 exist only by breaking what few real standards we've had in the
 Internet. Writing standards for the rest of us to traverse a moving,
 lawless target is not necessarily productive, IMO.


Most of the NAT vendors are engaged in IETF and have shown wilingness to
comply with IETF standards, provided they allow them to get their job done.

NAT has an important security role. We deploy it because our customers want
to conceal their IP addresses against traffic analysis.

Given that in the original Internet design IP was just the protocol run on
the 'network of networks' I don't think that the claims that NAT is foreign
to the Internet is valid. NAT appears to me to be part and parcel of the
original concept.

As one of the folks who was around when "the original concept" was developed, I can emphatically say that NAT is not consistent with that model. The reason is that IP was designed to run over any underlying network layer protocol, and across layer 3 gateways, but it was assumed to provide end-to-end service for realtime communication. There were no firewalls back then and TCP and UDP were intended to operate in end systems only. Note that one of the problems associated with NAT in the IPsec context arises because the TCP checksum includes the addresses from the IP header. This was not one of our better protocol design decisions, but it obviously would not have been made if there were any thought that an intermediate system would modify these addresses.

Also, I have to question the purported traffic analysis security you cite for NAT. Since it is probably fair to assume that very little traffic sent through NAt devices is layer 3 encrypted, and since higher layer security protocols usually provide lots of info suitable for TA (e.g., SSL thoughtfully sends server and, optionally, client, certs in the clear) it's hard to argue that NAT provide an effective form of TFS.

Steve

References:
- RE: NAT support and laws for the lawless
  - From: Hallam-Baker, Phillip

Prev by Date: RE: NAT Traversal
Next by Date: Re: DoS attack on JFK
Previous by thread: RE: NAT support and laws for the lawless
Next by thread: RE: NAT support and laws for the lawless
Index(es):
- Date
- Thread