[e2e] Forbes.com story highlights how NATs destroy end-to-end
David P. Reed
dpreed at reed.com
Wed Jul 11 08:21:10 PDT 2001
Thought that many on this list don't get Forbes, so I'd forward a link to a
Stephen Manes column in the latest issue about 3Com's NAT software and how
it changes data at whim and corrects the checksum to spoof the recipient.
Fortunately, the mission critical backup application that discovered the
problem was programmed according to the end-to-end principle: it didn't
depend on the TCP checksum for reliability.
While Manes calls it a "programming error", it appears more likely that it
was a design feature - the NAT software scanned the entire TCP segment for
addresses that matched the local address that must be translated. This
kind of solution has been used in some NAT software I've seen on machines
that try to be "automagical" thinking that the byte sequence 192.168.0.1 is
pretty unlikely to appear in most data packets, so it should be corrected
everywhere. 3Com probably bought the rights to a package like that one
(anyone on this list know the truth?)
This is a good argument for adversary-proof checksums (like one-way signed
message digests) I suggested in a recent exchange - clearly there are
devices that behave like adversaries out there in the real world today,
designed by real programmers to change bits in a way that is not
statistically independent of the data.
It is also becoming clear that patching the symptoms of a bad design choice
(NAT in this case) is going to be never-ending, and it's time to obviate
the need to perpetuate such kludges. I realize that this (beginning with
IPv6, end-to-end encryption, etc.) is a big job and the
Cisco/3Com/Microsoft axis don't seem to have the guts to do it. But it is
The Four-Byte Shuffle
Stephen Manes, Forbes Magazine, 07.23.01, 12:00 AM ET
Digital bits are supposed to be sacrosanct. An error in just one among
billions can create unknowable consequences, from innocuous to disastrous.
I know this firsthand. Four little bytes of data corruption--just enough to
spell a choice expletive--recently wasted many hours of my life.
WWW Page: http://www.reed.com/dpr.html
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the end2end-interest