[e2e] 100% NAT - a DoS proof internet

Joe Touch touch at ISI.EDU
Wed Feb 22 09:13:50 PST 2006

Saikat Guha wrote:
> On Wed, 2006-02-22 at 07:39 -0800, Joe Touch wrote:
>> Saikat Guha wrote:
>>> there is a service that allows you
>>> somehow publish your IP address and port
>> Let's say that place is behind a NAT. Then *it* needs to similarly
>> publish its address and port.
> or, this address and port may be hard-coded into clients as is the case
> with the DNS root servers. Alternatively, if DNS is around, the address
> and port can be published there. In any event, yes, this service needs
> to be publicly accessible.
>> The DNS is part of the IP architecture. The service above must be
>> OUTSIDE the NAT architecture.
> Just as DNS is useless unless clients know the _IP_ of the root, a
> NAT'ed Internet is useless unless the clients can publicly reach the
> rendezvous. You cannot reach the DNS root using DNS, and you cannot
> reach the rendezvous that requires a rendezvous.
> I don't understand your distinction for considering one inside, and the
> other outside the respective architectures.

Fair enough.  The DNS is optional in the Internet.

In the Internet, if I am behind a NAT and want to reach you, I need to
know your public IP address and the port that you will listen on.

You do NOT need to know _I_ will contact you, you do not need to know my
IP address, and you do not need to know my source port; you can accept
'any incoming'.

NATs don't work that way - my knowing your contact info isn't enough;
you need to know I'm coming. Destination address and port are
insufficient to demultiplex incoming calls; you NEED source address and
port, and you NEED a DNS-like structure to accomplish that.

I'll grant that the DNS sits outside the Internet network architecture
the same way that NAT-host registries do. But NAT'd systems are a
network structure that won't forward packets unless such a service
exists; the Internet doesn't require that.


More information about the end2end-interest mailing list