[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: NAT support and laws for the lawless

To: "Hallam-Baker, Phillip" <pbaker@verisign.com>
Subject: RE: NAT support and laws for the lawless
From: Stephen Kent <kent@bbn.com>
Date: Mon, 4 Mar 2002 15:55:35 -0500
Cc: Joe Touch <touch@ISI.EDU>, "Hallam-Baker, Phillip" <pbaker@verisign.com>, ipsec mailling list <ipsec@lists.tislabs.com>
In-Reply-To: <2F3EC696EAEED311BB2D009027C3F4F40A9C0E06@vhqpostal.verisign.com>
References: <2F3EC696EAEED311BB2D009027C3F4F40A9C0E06@vhqpostal.verisign.com>
Sender: owner-ipsec@lists.tislabs.com

At 1:59 PM -0800 3/1/02, Hallam-Baker, Phillip wrote:
>  > Hallam-Baker, Phillip wrote:
>>  > People appear to be so caught up in whether we should be
>>  supporting NAT that
>>  > the issue of how to support NAT is forgotten about.
>>
>>  Agreed. However, at some point we're writing laws for the
>>  lawless. NATs
>>  exist only by breaking what few real standards we've had in the
>>  Internet. Writing standards for the rest of us to traverse a moving,
>>  lawless target is not necessarily productive, IMO.
>
>Most of the NAT vendors are engaged in IETF and have shown wilingness to
>comply with IETF standards, provided they allow them to get their job done.
>
>NAT has an important security role. We deploy it because our customers want
>to conceal their IP addresses against traffic analysis.
>
>Given that in the original Internet design IP was just the protocol run on
>the 'network of networks' I don't think that the claims that NAT is foreign
>to the Internet is valid. NAT appears to me to be part and parcel of the
>original concept.

As one of the folks who was around when "the original concept" was 
developed, I can emphatically say that NAT is not consistent with 
that model. The reason is that IP was designed to run over any 
underlying network layer protocol, and across layer 3 gateways, but 
it was assumed to provide end-to-end service for realtime 
communication. There were no firewalls back then and TCP and UDP were 
intended to operate in end systems only. Note that one of the 
problems associated with NAT in the IPsec context arises because the 
TCP checksum includes the addresses from the IP header. This was not 
one of our better protocol design decisions, but it obviously would 
not have been made if there were any thought that an intermediate 
system would modify these addresses.

Also, I have to question the purported traffic analysis security you 
cite for NAT.  Since it is probably fair to assume that very little 
traffic sent through NAt devices is layer 3 encrypted, and since 
higher layer security protocols usually provide lots of info suitable 
for TA (e.g., SSL thoughtfully sends server and, optionally, client, 
certs in the clear) it's hard to argue that NAT provide an effective 
form of TFS.

Steve

References:
- RE: NAT support and laws for the lawless
  - From: "Hallam-Baker, Phillip" <pbaker@verisign.com>

Prev by Date: RE: draft-ietf-ipsec-ikev2-01.txt
Next by Date: RE: NAT Traversal
Prev by thread: RE: NAT support and laws for the lawless
Next by thread: RE: NAT support and laws for the lawless
Index(es):
- Date
- Thread