[e2e] 100% NAT - a DoS proof internet

Saikat Guha saikat at cs.cornell.edu
Wed Feb 22 00:52:04 PST 2006

On Mon, 2006-02-20 at 22:36 -0800, Joe Touch wrote:
> Without NATs, you need:
> 	my IP address
> 	the port I run the service on

Indeed. As you suggest, lets assume there is a service that allows you
somehow publish your IP address and port, which may be assigned
dynamically by DHCP.

                          +------ request ------+
                          V                     |
[You] -- publish --> [Service] -- response --> [Me]

> With NATs, I need to know YOU are calling be somehow, so that I can do
> something to trigger the NAT upstream from me

Also true. Simply change the service above to notify you when someone
wants to contact you.
                          +------ request ------+
                          V                     |
[You] -- publish --> [Service] -- response --> [Me]
  A                       |
  +----- notify  ---------+

> The only way to do that is via a server on the public Internet (short of
> a telephone, which can cheat in any coordination system).

The service doesn't have to be "on" the public internet, but rather
accessible from the public Internet. In particular, the service can
run behind a NAT that the service provider controls. The service
provider configures the NAT to forward inbound queries to the correct
private address.

> I.e., a NAT'd Internet is an incomplete architecture; it cannot usefully
> exist without non-NAT'd servers.

Certainly, this service above would have to be part of the architecture
to complete it. Just as DNS is now a part of the IP architecture.

> That's not the same as what a DNS
> does; a DNS just converts a name to an address; there's no 'exchange' of
> information between endpoints; the DNS isn't needed so that I know you
> will be calling me and act accordingly.

Correct -- this is not what DNS does; this is what SIP does. In the
IP-world, I need to know where to find you, so I use DNS. In the
NAT-world, you need to know when someone wants to find you, so they use

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.postel.org/pipermail/end2end-interest/attachments/20060222/a03bfb8a/attachment.bin

More information about the end2end-interest mailing list