[e2e] 100% NAT - a DoS proof internet

Dan Wing dwing at cisco.com
Wed Feb 22 11:45:40 PST 2006


> That's what firewalls are for. NATs don't block infected sources; they
> block only sources you didn't expect packets from.

Some NATs have that characteristic, yes.  Some don't.  

draft-jennings-midcom-stun-results-02.txt (now expired) 
contains test results of about 20 NATs.  Several of those
are "full cone", which means they do not restrict incoming
UDP packets to certain hosts.

...
> You do that inside the packet exchange - e.g., using SSL or IPsec E2E.
> Just blocking on the source IP address and port that you didn't expect
> isn't security - it's service blocking.

Agreed.  And blocking it at the subscriber side of a bandwidth-
constrained access link is arguably the wrong place to have such
blocking, anyway.

-d

> > The mechanistic requirements of the NAT'ed Internet conveniently
> > coincide with the present security requirements. One may very well
> > leverage the other imho.
> 
> NATs coincide with the model that consumers are clients and commercial
> entities are servers. When that's not the case (VoIP, software
> maintenance via web service portals, etc.), NATs do not coincide.
> 
> Joe
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> 
> iD8DBQFD/LzuE5f5cImnZrsRAhUMAKCVRLEzv5qWaLZQ1NgALOeKIclHpACgju3J
> LGOIEZcoI2eYpTKtpaa/CuI=
> =SMgc
> -----END PGP SIGNATURE-----


More information about the end2end-interest mailing list