nanog mailing list archives
Re: NAT etc. (was: Spam Control Considered Harmful)
From: bmanning () ISI EDU
Date: Sat, 1 Nov 1997 13:14:35 -0800 (PST)
Havard said:...which brings me to think if it isn't so that Secure DNS (at least as currently specified) and widespread deployment of NAT boxes which fiddle with the contents of DNS reply/request packets isn't exactly a properly working combination. As I understand it you can have NAT or Secure DNS with e.g. signed A records but you can't (easily?) have both.This is a misdirected concern. DNS clients inside a NAT cloud are already proscribed from seeing DNS data from other NAT clouds or from the Internet itself. The NAT technology has to strip off DNSSEC stuff when it imports data but it tends to strip off DNS delegation and authority data as well, and tends to alter the address and mail exchange records. NAT borders are already DNS endpoints, with or without DNSSEC. Whether and how to regenerate external DNS inside a NAT cloud is a matter of NAT implementation, but the fact that it's _regenerated_, not forwarded or recursed, is a design constant.
(While I have replied to Paul, this raving is for everyones
general amusment. - bill)
I think this is correct. However, this line of thinking
when seen in the light of end2end IPSEC seems to indicate that
NAT/Firewall technologies mandate a regenerated security
"envelope" at the NAT/Firwall edge. This tends to be what
corporations/governments want, while others tend toward
the endpoints being indivdually oriented. I, for one, (and
I expect I'm in the minority here) don't want to hand my keys
over to BBSS, Sprint, GTE, WCOM, the FBI, the Governement of
France... so they can decrypt the packets that I am sending
to you.
So, while I agree that NAT/Firewall techniques are an approch
to dealing with heirarchy/scaling issues, I think that MJR
was right. NAT/Firewalls are bandaids to be used until we have
reasonable endsystem/endsystem IP security.
If you really buy off on the catanet arguement, then there is
no need to reuse IP. FIDOnet, TCP on PPPover(mediaofchoice),
DECnet adnausa are available and you win with application transparency.
Jumping through all those hoops to make NATs work "seamlessly"
is a glittering bauble. Lots of interesting knots to go untangle
as folks rework and undo one of the basic assumptions behind IP
which is a single, common addressing space. And its really an
admission of failure.
Too many people saying, "Its too hard to make true end2end work,
(even across the existant IP (thats IPv4 for you Sean) space) so
we must carve it up into tiny bits that each party can claim as
their very own."
Buying into NATs dooms people to live in thier private hells.
Embrace Brigadoon.
--bill
Current thread:
- Re: moving to IPv6, (continued)
- Re: moving to IPv6 Randy Bush (Nov 07)
- Re: moving to IPv6 Paul Ferguson (Nov 07)
- Re: moving to IPv6 Winfried Haug (Nov 09)
- Re: moving to IPv6 Sean M. Doran (Nov 11)
- Re: moving to IPv6 Sean M. Doran (Nov 11)
- Re: Spam Control Considered Harmful Bill Becker (Nov 01)
- Re: Spam Control Considered Harmful Greg A. Woods (Nov 01)
- Re: Spam Control Considered Harmful Sean M. Doran (Nov 01)
- Re: NAT etc. (was: Spam Control Considered Harmful) Havard . Eidnes (Nov 01)
- Re: NAT etc. (was: Spam Control Considered Harmful) Paul A Vixie (Nov 01)
- Re: NAT etc. (was: Spam Control Considered Harmful) bmanning (Nov 01)
- Re: NAT etc. (was: Spam Control Considered Harmful) Greg A. Woods (Nov 01)
- Re: NAT etc. (was: Spam Control Considered Harmful) Eric M. Carroll (Nov 01)
- Re: NAT etc. (was: Spam Control Considered Harmful) Paul A Vixie (Nov 01)
- Message not available
- Re: NAT etc. (was: Spam Control Considered Harmful) Jay R. Ashworth (Nov 01)
- Re: NAT etc. (was: Spam Control Considered Harmful) Paul A Vixie (Nov 01)
- Message not available
- Re: NAT etc. (was: Spam Control Considered Harmful) Jay R. Ashworth (Nov 02)
- Re: NAT etc. (was: Spam Control Considered Harmful) Alan Hannan (Nov 02)
- Message not available
- Re: NAT etc. (was: Spam Control Considered Harmful) Jay R. Ashworth (Nov 03)
- Re: NAT etc. (was: Spam Control Considered Harmful) Havard . Eidnes (Nov 01)
- Re: NAT etc. (was: Spam Control Considered Harmful) Brett Frankenberger (Nov 02)
- Re: NAT etc. (was: Spam Control Considered Harmful) Paul A Vixie (Nov 02)
