NAT etc. (was: Spam Control Considered Harmful)

Jay R. Ashworth jra at
Mon Nov 3 17:06:07 UTC 1997

On Sun, Nov 02, 1997 at 11:12:50PM -0500, Alan Hannan wrote:
> > Does anyone wish to correct me?  I'm a pretty decent thinker, but it's
> > possible I may misunderstand some specifics, I'm _not_ a DNSSEC or NAT
> > mechanic.
>   I am not intimate with the internals of DNSSEC to comment on the
>   interoperability with NATs at this time.
>   As such, I wouldn't question your assertion.  I do, however,
>   question this premise as being directly relevant to the
>   advancement of NAT use in the internet infrastructure.

Well, let's look at that.

>   It is likely that the scaling properties of the internet
>   will demand a change in the lower level protocols.
>   When this happens, the higher layer protocols (like DNSSEC) will
>   have to be reworked.
>   So DNSSEC gets broken.  Fix DNSSEC after we fix the
>   infrastructure.
>   With NAT you can subdivide the network to many orders of growth.
>   The sum work saved by doing this vastly outweighs the work
>   required to adapt DNSSEC.  

Well, I don't know as where that's necessarily true, and as I noted in
a private reply to someone else on this, there's a trend to make
fundamental architectural changes in the net with, I think, too little
attention to how many assumptions will get broken, there.

An analogy is in order here.

A few years back, someone had the bright idea that tires, which are
incredibly difficult to recycle effectively, might be well used as
filler in manufacturing asphalt to pave roads.  

Apparently, however, insufficient testing was performed... as the roads
started _catching on fire_.

Changes as fundamental as breaking the assumptions currently safe about
end-to-end connectivity and routability in something as pervasive and
mission critical as the Internet Backbone (ie: the collective capacity
of the 26 or so current commercial and government backbones) merit
_extensive_ real-world testing.

>   For example, the root name system could interoperate with the NAT
>   machines in a controlled manner.  No, it's not a trivial task.
>   However, isn't it easier than renumbering the entire address space
>   and putting more space into the problem?

Not necessarily.  What would be required here would be for a given
nameserver to query a NAT server for the appropriate translation, put
_that_ address is it's response, and sign the result, avoiding the
necessity of the layer 3 NAT box to poke into the layer 4 DNS response.

And, of course, then the DNS server is professing to be authoritative
for the NAT server... and trust isn't necessarily commutative.

I agree with Paul; we've dragged this out about as far as it will go;
let's adjourn further discussions to the NOD list, shall we?

-- jra
Jay R. Ashworth                                                jra at
Member of the Technical Staff             Unsolicited Commercial Emailers Sued
The Suncoast Freenet      "Pedantry.  It's not just a job, it's an
Tampa Bay, Florida          adventure."  -- someone on AFU      +1 813 790 7592

More information about the NANOG mailing list