[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: NAT support and laws for the lawless

To: "Hallam-Baker, Phillip" <pbaker@verisign.com>, "Joe Touch" <touch@ISI.EDU>
Subject: RE: NAT support and laws for the lawless
From: "Tony Hain" <alh-ietf@tndh.net>
Date: Fri, 1 Mar 2002 15:55:48 -0800
Cc: "ipsec mailling list" <ipsec@lists.tislabs.com>
Importance: Normal
In-Reply-To: <2F3EC696EAEED311BB2D009027C3F4F40A9C0E06@vhqpostal.verisign.com>
Sender: owner-ipsec@lists.tislabs.com

Hallam-Baker, Phillip wrote:
> NAT has an important security role. We deploy it because our
> customers want
> to conceal their IP addresses against traffic analysis.

This is just bogus crap they have been sold. It is easier to perform
traffic analysis on a NAT address that doesn't move than to figure out
if a particular address cooresponds to a node that has changed subnets.
NAT is not a security tool, get over it. If they really want to avoid
traffic analysis have them use RFC3041 addresses with ESP.

>
> Given that in the original Internet design IP was just the
> protocol run on
> the 'network of networks' I don't think that the claims that
> NAT is foreign
> to the Internet is valid. NAT appears to me to be part and
> parcel of the
> original concept.
>

The original concept was based on a single global address space with
multiple administrative partitions, not the brokenness of multiple
overlapping address spaces.

>
> > email is a specious analogy, because many of the legacy
> systems were
> > implemented before, not in defiance of, Internet specs.
>
> Many of the problems with email are caused by compliance with
> IETF specs
> that were based on a broken model. The idea that servers
> should perform
> character set translation was broken, as was the idea that
> servers should do
> line wrapping for the client. But those servers are out there.
>
> When we designed HTTP all sorts of people were telling us
> that the protocol
> should assume that proxies mangle headers in the same way
> that mail agents
> do. Some well known IETF folks were screaming and stamping their feet,
> claiming that we should transport all images using BASE64
> encoding, in case
> someone was using a connection that was not 8 bit clean.
>
> But as I said, it does not matter how we got into the swamp
> or whose fault
> it is. We are now in the swampt and we cannot get out of it using the
> mathematicians technique 'assume that we are on dry land'.
>

In this case you can. Assume you have an IPv6 network between the
endpoints, and let the stack work out the layers of framing necessary to
make that true.

Tony

References:
- RE: NAT support and laws for the lawless
  - From: "Hallam-Baker, Phillip" <pbaker@verisign.com>

Prev by Date: IKE failed to find valid machine certificate
Next by Date: Re: NAT Traversal
Prev by thread: RE: NAT support and laws for the lawless
Next by thread: RE: NAT support and laws for the lawless
Index(es):
- Date
- Thread