[e2e] 100% NAT - a DoS proof internet
Saikat Guha
saikat at cs.cornell.edu
Wed Feb 22 13:04:50 PST 2006
On Wed, 2006-02-22 at 15:39 -0500, David P. Reed wrote:
> >The mechanistic requirements of the NAT'ed Internet conveniently
> >coincide with the present security requirements.
> >
>
> Note that
> the NAT inventors NEVER claimed security as the goal
My apologies, I wasn't clear -- I don't mean to imply NATs have anything
to do with security. I mean that the *mechanisms* necessitated by NATs
are also useful from a security standpoint.
In particular, NATs require end-hosts to *negotiate* addresses. This
negotiation is end-to-end, and bi-directional. Security requires
end-hosts to negotiate identities, encryption, etc. in a similar
fashion.
If the Internet were to provide this end-to-end bi-directional
"negotiation" as a primitive, it could be used for both address
translation as well as for security.
NATs force the rendezvous to provide such a negotiation primitive.
Security can benefit from this primitive (not from the NATs per se).
cheers,
--
Saikat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.postel.org/pipermail/end2end-interest/attachments/20060222/ac2717db/attachment.bin
More information about the end2end-interest
mailing list