[e2e] 100% NAT - a DoS proof internet

[Jon Crowcroft]

In missive <1139849512.19715.6.camel at firenze.zurich.ibm.com>, Jeroen Massar typ
ed:

 >>Worms don't come in directly to the IP's that often, they spread mostly
 >>using email, broswers, and other applications and some unknowing user
 >>simply starting applications it should not be running. Host-based
 >>firewalls do a wonderful job here already. Of course there are some viri
 >>which scan semi-randomly but the effect is lower than a email containing
 >>a jucky picture of some teen celebrity.

1/ I am not defending against vulnerabilities but against dos and
scans

 >>If you want to protect against address scans then move to IPv6 :)
 >>(though one infected box and they have the local subnet)
 
I use a MAC _ it uses IPv6 by default if its there - 
problem is the ISPs dont :-(
your move.

 >>Also, the target of the DoS will just shift with your idea, from the
 >>end-host to the NAT box that is 'protecting' it. Which in turn make it
 >>actually harder to work against these attacks. Just read up on some of
 >>the timelines about attacks against IRC servers. First the targetted the
 >>irc servers themselves, after that they started dos'sing the links,
 >>which simply means they will kill of the routers in between the user and
 >>the server..


saying dont defend against X because everyone will move to attacking Y
is bogus.

 >>There is no real magic bullet. Law and especially enforcement is one of
 >>the few things that might help a bit, but that is not something we might
 >>want to see from the e2e point of view.

gosh, we have law already and its working so well isnt it:)

i didnt say this was a magic bullet - i said it was an idea for
defending against a specific problem. yes there are many problems and
the design space for solutions is multi-faceted.

security people love to attack things - i disdain that- i like to
defend things:)


 cheers

   jon