Home page logo

nanog logo nanog mailing list archives

Re: end2end? (was: RE: Where NAT disenfranchises the end-user ...)
From: Leo Bicknell <bicknell () ufp org>
Date: Fri, 7 Sep 2001 17:00:24 -0400

On Fri, Sep 07, 2001 at 11:57:24AM -0700, Mike Batchelor wrote:
Well of course, that was my point.  Where do you draw the line?  The packet
as received is not identical to the packet as it was sent, even when NAT is
not involved.  Along the way, various things get modified, the packet is
encapulated, unwrapped, re-encapsulated, TTLs get decremented, ... all

It violates a layering principal.  An application never 'creates'
a packet (particularly when thinking about TCP).  Thus the application
doesn't pick the initial TTL, for instance.  So there's no reason
the application should expect it to be a particular value at the

An application very much creates it's own data stream, and expects
a reliable transport scheme to pass it _unaltered_.  Note, NAT can
cause issues here.  If I run a telnet server on port 53, telnet to
it through a NAT gateway, and send data that looks like an AXFR,
it will probably change it, thinking it's operating on DNS.  That's
pretty dangerous.

It also crosses an interesting legal line.  If your an ISP customer
and it's ok for the ISP to read your data stream and alter it in
real time to provide NAT, why wouldn't it be legal for them to read
your e-mail in real time as it passes, and alter what you said?
The same boxes could do it.  What makes it ok to alter an IP address
here and there, but not alter a word?  Why are they different?

Leo Bicknell - bicknell () ufp org
Systems Engineer - Internetworking Engineer - CCIE 3440
Read TMBG List - tmbg-list-request () tmbg org, www.tmbg.org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]