[e2e] 100% NAT - a DoS proof internet
dwing at cisco.com
Wed Feb 22 11:45:40 PST 2006
> That's what firewalls are for. NATs don't block infected sources; they
> block only sources you didn't expect packets from.
Some NATs have that characteristic, yes. Some don't.
draft-jennings-midcom-stun-results-02.txt (now expired)
contains test results of about 20 NATs. Several of those
are "full cone", which means they do not restrict incoming
UDP packets to certain hosts.
> You do that inside the packet exchange - e.g., using SSL or IPsec E2E.
> Just blocking on the source IP address and port that you didn't expect
> isn't security - it's service blocking.
Agreed. And blocking it at the subscriber side of a bandwidth-
constrained access link is arguably the wrong place to have such
> > The mechanistic requirements of the NAT'ed Internet conveniently
> > coincide with the present security requirements. One may very well
> > leverage the other imho.
> NATs coincide with the model that consumers are clients and commercial
> entities are servers. When that's not the case (VoIP, software
> maintenance via web service portals, etc.), NATs do not coincide.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> -----END PGP SIGNATURE-----
More information about the end2end-interest