nanog mailing list archives

Re: NAT etc. (was: Spam Control Considered Harmful)

From: Tim Salo <salo () networkcs com>
Date: Sat, 1 Nov 1997 19:44:55 -0600 (CST)

Date: Sat, 1 Nov 1997 17:37:57 -0500
From: "Jay R. Ashworth" <jra () scfn thpl lib fl us>
To: "You're welcome" <nanog () merit edu>
Subject: Re: NAT etc. (was: Spam Control Considered Harmful)
      [...]
Well, yes, Paul, but unless I misunderstood you, that's exactly the
point.  If a client inside a NAT cloud does a DNS lookup to a
supposedly authoritative server outside, and the NAT box is _required_
to strip off the signature (which it would, because it has to change
the data), then it's not possibile, by definition, for any client
inside such a NAT box to make any use of SecDNS.

The point is that you _can't_ regenerate the signature, usefully to the
client, anyway, precisely because _it is a signature_.


Presumably, the NAT could,

o       Verify the signature of the DNS responses it receives, and
        dump any responses that don't meet its [authentication]
        criteria, or

o       Sign the the response it creates and let the client verify
        the NAT's signature.  Presumably, the client will trust
        the NAT.

-tjs

Current thread:

Re: NAT etc. (was: Spam Control Considered Harmful) Tim Salo (Nov 01)
- Communities Bradley Reynolds (Nov 01)
  - Re: Communities Kirby Files (Nov 01)
    - Re: Communities Bradley Reynolds (Nov 02)
    - Re: Communities Sean M. Doran (Nov 03)
    - Message not available
    - Re: Communities James A. Farrar (Nov 02)
    - Re: Communities Bradley Dunn (Nov 05)
- Message not available
  - Re: NAT etc. (was: Spam Control Considered Harmful) Jay R. Ashworth (Nov 02)
    - Re: NAT etc. (was: Spam Control Considered Harmful) Alan Hannan (Nov 02)
    - Message not available
    - Re: NAT etc. (was: Spam Control Considered Harmful) Jay R. Ashworth (Nov 02)
    - Re: NAT etc. (was: Spam Control Considered Harmful) Sean M. Doran (Nov 03)

(Thread continues...)