[e2e] 100% NAT - a DoS proof internet

Saikat Guha saikat at cs.cornell.edu
Wed Feb 22 11:18:23 PST 2006

On Wed, 2006-02-22 at 09:13 -0800, Joe Touch wrote:
> Fair enough.  The DNS is optional in the Internet.
> In the Internet, if I am behind a NAT and want to reach you, I need to
> know your public IP address and the port that you will listen on.
> You do NOT need to know _I_ will contact you, you do not need to know my
> IP address, and you do not need to know my source port; you can accept
> 'any incoming'.

You implicitly make the assumption that I am willing to accept your (and
indiscriminately everyone else's) packets. Anyone behind a firewall,
either by choice or not, would likely agree that this classic assumption
is no longer substantiated in general.

If the packet is from a known worm-infected address, I don't want it. My
ISP doesn't want me to receive it lest I wreak havoc on their network.
Most likely, your ISP won't want you to send it in the first place.

> NATs don't work that way - my knowing your contact info isn't enough;
> you need to know I'm coming. Destination address and port are
> insufficient to demultiplex incoming calls; you NEED source address and
> port, and you NEED a DNS-like structure to accomplish that.

The "NEED" for source address and port based demultiplex is due more to
security concerns than NATs. Before I let you in, I want to know who you
are, what you are trying to send me and why, and I might as well
negotiate how and at what address we can exchange packets.

The mechanistic requirements of the NAT'ed Internet conveniently
coincide with the present security requirements. One may very well
leverage the other imho.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.postel.org/pipermail/end2end-interest/attachments/20060222/953941a4/attachment.bin

More information about the end2end-interest mailing list