NAT etc. (was: Spam Control Considered Harmful)

Paul A Vixie paul at
Sat Nov 1 23:42:32 UTC 1997

[ I removed Bill from the CC list so that he will only get one copy of this;
  it would have been very nice to have seen Bill remove me from the CC list
  of his earlier reply, so that I would only have seen one copy of THAT. ]

> I think this is correct.  However, this line of thinking 
> when seen in the light of end2end IPSEC seems to indicate that
> NAT/Firewall technologies mandate a regenerated security
> "envelope" at the NAT/Firwall edge.  This tends to be what 
> corporations/governments want, while others tend toward 
> the endpoints being indivdually oriented.  I, for one, (and
> I expect I'm in the minority here) don't want to hand my keys 
> over to BBSS, Sprint, GTE, WCOM, the FBI, the Governement of
> France... so they can decrypt the packets that I am sending
> to you.

I don't expect that France will ever move into private address space.  I do
expect WCOM and GTE and the FBI to each do so for their internal networks,
and then I expect the NAT boxes between their private networks and the public
network to unwrap all the security goo (checking it using keys which are all
public inside the addressing domain they came out of) and regenerate it for
the far side (again using keys which are meaningful and available in the 
addressing domain they are being sent into.)

This means personal certificates can work, i.e., PGP and to some extent SSH.
It means DNSSEC can work.  I don't know what it means for IPsec but if IPsec
can't be used this way then it will fail in the marketplace.  As I kept 
telling the IETF when I used to attend their meetings, the market does what
it feels like doing and the way to appear to lead it is to predict motion
and then run out in front of the crowd in that direction.  This goes back to
the same old descriptive/prescriptive thing Padlipsky was talking about.

> So, while I agree that NAT/Firewall techniques are an approch
> to dealing with heirarchy/scaling issues, I think that MJR
> was right. NAT/Firewalls are bandaids to be used until we have
> reasonable endsystem/endsystem IP security.

The key to understanding private addressing is that each addressing domain
(which is any private one, or the public one), is an addressing universe unto
itself.  It has to have its own root name servers.  It has to have its own
DNS keys.  User level certificates a la PGP and sort-of SSH can be shared
between multiple addressing domains, but network level certificates like DNS
cannot.  This can be a bug or a feature depending on your point of view.

More in a moment, Jay A. has asked a marvelous bracketing question about this.

More information about the NANOG mailing list