[e2e] 100% NAT - a DoS proof internet
Joe Touch
touch at ISI.EDU
Mon Feb 20 22:36:26 PST 2006
Dan Wing wrote:
...
> I fail to understand the distinction between the problem you're
> describing and the same problem without any NATs whatsoever. For example
> if I get a publicly routable IP address from my ISP and I want you to
> send me some packets, I need to somehow tell you that IP address. I
> might do that with DNS or via some other protocol (or SIP or Jabber).
Without NATs, you need:
my IP address
the port I run the service on
I can run services that will accept incoming calls from anyone on that port.
With NATs, I need to know YOU are calling be somehow, so that I can do
something to trigger the NAT upstream from me ("my" NAT, though I
typically don't 'control' it except by sending packets that trigger
associations).
The only way to do that is via a server on the public Internet (short of
a telephone, which can cheat in any coordination system).
I.e., a NAT'd Internet is an incomplete architecture; it cannot usefully
exist without non-NAT'd servers.
> A fully NATted universe doesn't work, I agree. But it is possible for
> two NATted devices to exchange UDP (and TCP) packets without relaying
> those UDP (TCP) packets through some non-NATted device.
They don't need to relay, but they do need the non-NAT'd device to
register and exchange information. That's not the same as what a DNS
does; a DNS just converts a name to an address; there's no 'exchange' of
information between endpoints; the DNS isn't needed so that I know you
will be calling me and act accordingly.
...
>> Two NAT'd boxes alone cannot talk to each other.
>>
>> (and I assume NATs aren't under your own control because they
>> that's the typical case).
>
> At Starbucks or as a subscriber in S. Korea or China, I agree it's typical.
As a cable Internet subscriber in the US, too. Same for some DSL
subscribers as well. It's not just a road-warrior or controlled-Internet
problem.
Joe
More information about the end2end-interest
mailing list