[e2e] purpose of pseudo header in TCP checksum

Noel Chiappa jnc at mercury.lcs.mit.edu
Tue Feb 15 06:58:22 PST 2005


    > From: "David P. Reed" <dpreed at reed.com>

This is kind of orthagonal to the original poster's point, but I see an
incorrect assertion I want to point out.

    > wrecked irrevocably by the terrorists who invented NAT

Passing note: this may well set a new mark for corruption of the term
"terrorist". (I concede that you may well be simply making fun of others
who are doing the same thing.)


    > (which doesn't allow end-to-end encryption, because NAT is
    > inherently a "man-in-the-middle" attack!).
    > ..
    > If we actually had end-to-end encrypted TCP (now impossible because
    > of the NATs)

David, as a general statement of what is and is not possible in a world
with NAT boxes (defined as "internetwork level addresses are local in
scope, and such addresses in internetwork level headers get modified
crossing scope boundaries"), this is just not so.

Yes, the *existing* secure TCP won't work across NAT boxes. However, it
is not that difficult to design a TCP upgrade which a) runs across NAT
boxes without needing to have the NAT boxes tweak the packets, and b) can
be end-end secured (either authenticated, or privacy-protected; in both
cases covering MiM attacks too).

I know this because as part of the NSRG work I actually did most of such
a design, which you can find here:

  http://ana-3.lcs.mit.edu/~jnc/tech/nsrg/tcp_doc.txt

Briefly, if we got off our butts and added another namespace to the
overall architecture, one intended for end-end naming (instead of trying
to leech off the internetwork layer's routing names - which was pointed
out as a mistake by Jerry Saltzer over 20 years ago), and changed TCP to
use that in the pseudo-header, NAT problems become non-existent (except
when doing an ICP to a legacy host).

If we stopped chasing the worthless chimera of IPv6, maybe some useful
things like the above would actually get done. I'm not holding my breath
on that one.


    > Instead we have a maze of twisty, disconnected passages, vulnerable
    > to a zillion hackers.

One day people will realize that the only real solution to security in an
open network environment (given all the buggy applications out there) is
to run applications in AIM boxes. I'm not holding my breath on that one
either.

	Noel 


More information about the end2end-interest mailing list