North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: NAT etc. (was: Spam Control Considered Harmful)

  • From: Sean M. Doran
  • Date: Mon Nov 03 13:56:12 1997

"Jay R. Ashworth" <[email protected]> writes:

> This is a question of _trust_, and if I don't wish to
> allow the operator of a NAT box to proxy my trust in a
> nameserver operator, there really isn't any good way
> around that.

You could change your connectivity such that there is no
NAT between you and the set of nameservers from which you
feel you must have untouched responses.

In a "NAT Everywhere" world with a sufficiently large set
of such nameservers this may be completely impractical.

Given that not trusting the DNS is the default mode of
operation for the current Internet, the question is
whether the advantages of NAT justify a constraint on
DNSSEC or whether the advantages of DNSSEC justify a
constraint on NAT.

The problem seems simpler with a "NAT in some places"
model, especially where "some places" is mostly at
the borders of big corporations, however strings of NATs
do and will happen, and there will be these trust issues
to deal with in some places anyway.

I would perfer to avoid constraining the problem just
because it makes the NIMBY folks more quiescent, to be
honest, since it rankles as much the concept of "only some
people have to renumber to conserve address space and
preserve the scalable properties of hierarchical routing.
we won't, we're privileged (or too big or too understaffed)".

Like renumbering, NAT is out there, and making it seamless
and easy strikes me as a good and useful goal, even if it
complicates other good and useful goals.

One of the ways to make it and renumbering seamless is to
understand that IP addresses are subject to change over
time and topological distance.

	Sean.