Re: NAT etc. (was: Spam Control Considered Harmful)

[bmanning () ISI EDU]

> Havard said:
>
> > ...which brings me to think if it isn't so that Secure DNS (at
> > least as currently specified) and widespread deployment of NAT
> > boxes which fiddle with the contents of DNS reply/request packets
> > isn't exactly a properly working combination.  As I understand it
> > you can have NAT or Secure DNS with e.g. signed A records but you
> > can't (easily?) have both.
>
> This is a misdirected concern.  DNS clients inside a NAT cloud are
> already proscribed from seeing DNS data from other NAT clouds or from
> the Internet itself.  The NAT technology has to strip off DNSSEC stuff
> when it imports data but it tends to strip off DNS delegation and
> authority data as well, and tends to alter the address and mail exchange
> records.  NAT borders are already DNS endpoints, with or without DNSSEC.
> Whether and how to regenerate external DNS inside a NAT cloud is a matter
> of NAT implementation, but the fact that it's _regenerated_, not forwarded
> or recursed, is a design constant.

        (While I have replied to Paul, this raving is for everyones
        general amusment.   - bill)


        I think this is correct.  However, this line of thinking 
        when seen in the light of end2end IPSEC seems to indicate that
        NAT/Firewall technologies mandate a regenerated security
        "envelope" at the NAT/Firwall edge.  This tends to be what 
        corporations/governments want, while others tend toward 
        the endpoints being indivdually oriented.  I, for one, (and
        I expect I'm in the minority here) don't want to hand my keys 
        over to BBSS, Sprint, GTE, WCOM, the FBI, the Governement of
        France... so they can decrypt the packets that I am sending
        to you.

        So, while I agree that NAT/Firewall techniques are an approch
        to dealing with heirarchy/scaling issues, I think that MJR
        was right. NAT/Firewalls are bandaids to be used until we have
        reasonable endsystem/endsystem IP security.

        If you really buy off on the catanet arguement, then there is
        no need to reuse IP. FIDOnet, TCP on PPPover(mediaofchoice),
        DECnet adnausa are available and you win with application transparency.

        Jumping through all those hoops to make NATs work "seamlessly"
        is a glittering bauble.  Lots of interesting knots to go untangle
        as folks rework and undo one of the basic assumptions behind IP
        which is a single, common addressing space.  And its really an
        admission of failure.  

        Too many people saying, "Its too hard to make true end2end work,
        (even across the existant IP (thats IPv4 for you Sean) space) so
        we must carve it up into tiny bits that each party can claim as
        their very own."

        Buying into NATs dooms people to live in thier private hells.
        
        Embrace Brigadoon. 

--bill