[e2e] 100% NAT - a DoS proof internet

Fred Baker fred at cisco.com
Mon Feb 13 04:26:22 PST 2006 

Are you telling me that you think that devices that are behind NATs  
don't get DOS'd?

I would prefer that you used the term "stateful firewall" as compared  
to "NAT"; NATs aren't necessarily stateful, and stateful firewall  
technology doesn't require network address translation to make it  
work. If the mapping between an interior address and an exterior  
address is predictable, the device behind can be DOS'd; the thing  
that a stateful firewall does is make the attack a bit harder to  
perpetrate.

Let me give you a simplistic example. If I have a SIP Proxy in a NAT  
system, so that SIP is made to traverse the firewall in a  
straightforward manner, SIP can then be used as an attack vector to  
the device it proxies for. That is but one.

On Feb 13, 2006, at 6:49 AM, Jon Crowcroft wrote:

> So there's three things here
>
> 1/ a mad idea for a DoS proof internet - This goes like this:
>
> What if 100% of hosts were behing a NAT (a bit like mark handley and
> adam greenhalgh's idea on a dos proof internet in fdna a while back,
> but taken to extreme, or also like default off paper in hotnets)
>
> So how would you ever reach someone (like most NAT traversal stuff is
> tricky - viz skype - see also below:)
>
> Meanwhile, here is how: Distributed Hashed Time.
>
> So we all know about DHTs - they hash an object to a node id, then use
> some p2p route to get to the node id (e.g. MIT's chord finger table
> etc etc).
>
> So if we want to talk to a set of known people, we hash their
> identifier (name) to TIME. We then send to each other at that agreed
> time - no-one else can send to us or from us to them, and the hash key
> can be a shared secret....
>
> there you go...the details should be simple (apart from how you
> provide sufficiently accurate synchronized time without a globally
> reachable adddress betweewn the NTP servers, which, I admit, is
> probably a mite tricky - i guess you need to have them agree a set of
> rough times or something:)
>
> 2/ a pointer to something about a mad bad idea i had about control
> networks
> http://www.cl.cam.ac.uk/~jac22/press-release-backstory.htm
>
> 3/ a reminder of a workshop deadline - sorry:)
> (see website for more info on submissions)
>
> ------------------------------------------------------------------
> 	PAPER SUBMISSION DEADLINE HAS BEEN EXTENDED TO
> 			26 FEBRUARY 2006
> ------------------------------------------------------------------
>
> 			CALL FOR PAPERS
>
> 		Second International Workshop on
> 	Multi-hop Ad hoc Networks: from theory to reality
> 			  REALMAN 2006
> 		http://www.cl.cam.ac.uk/realman
>
>
> cheers
>
> jon

More information about the end2end-interest mailing list