Re: NATs *ARE* evil!
Mike Fisk <mfisk@lanl.gov> Mon, 18 December 2000 23:00 UTC
Received: by ietf.org (8.9.1a/8.9.1a) id SAA17277 for ietf-outbound.10@ietf.org; Mon, 18 Dec 2000 18:00:02 -0500 (EST)
Received: from pescado.lanl.gov (cx133708-a.ocnsd1.sdca.home.com [24.20.238.239]) by ietf.org (8.9.1a/8.9.1a) with SMTP id RAA17002 for <ietf@ietf.org>; Mon, 18 Dec 2000 17:45:10 -0500 (EST)
Received: from localhost (localhost [127.0.0.1]) by pescado.lanl.gov (Postfix) with ESMTP id ED18221681; Mon, 18 Dec 2000 14:45:08 -0800 (PST)
Date: Mon, 18 Dec 2000 14:45:08 -0800
From: Mike Fisk <mfisk@lanl.gov>
To: "Theodore Y. Ts'o" <tytso@MIT.EDU>
Cc: "Perry E. Metzger" <perry@piermont.com>, Keith Moore <moore@cs.utk.edu>, Jon Crowcroft <J.Crowcroft@CS.UCL.AC.UK>, smd@EBONE.NET, iab@iab.org, ietf@ietf.org
Subject: Re: NATs *ARE* evil!
In-Reply-To: <200012181807.NAA02116@tsx-prime.MIT.EDU>
Message-ID: <Pine.LNX.4.21.0012181425190.5487-100000@pescado.lanl.gov>
X-Homepage: http://home.lanl.gov/mfisk/
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Loop: ietf@ietf.org
On Mon, 18 Dec 2000, Theodore Y. Ts'o wrote: > My concern is that it may turn out that some transport/routing people > may conclude that we may also need to do NAT to solve the routing > problem. In which case, we're back to where we started. > > I'd feel a lot better if we could get key routing/transport people to > sign some contract in blood stating that the IPV6 address is guaranteed > to be invariant, and that any attempt to design boxes which muck with > the IPV6 address in transit is architecturally out of bounds. That may > seem to you to be obviously true, but I 10 years ago we assumed the same > would be true for IPV4 addresses. Gateways that surreptitiously modify packets can break ANY end-to-end protocol no matter what layer it's at. Assume that we sacrifice IP addresses as not necessarily end-to-end. Fine, there are gateways that need to modify your TCP ports too. Okay, sacrifice make it so ports aren't covered by e2e assumptions like IPsec. Fine, there are gateways that do ACK spoofing. Okay, sacrifice all header data and assume that only payload is e2e. Whoops, even the payload has to be modified by some gateways. The hypothesis that you can have these gateways and have any part of the packet be guaranteed to be e2e is false. But I don't think these gateways are evil and should (or could) be forbidden. My hypothesis is that end applications have to know that these gateways exist. They shouldn't be surreptitiously transparent; they should be discoverable and applications should be aware of how high in the protocol stack that gateway reaches. Take the hardest problem, a gateway that reaches all the way up to the application layer to do content inspection. The application has to make a trust decision about whether or not it is willing to negotiate a key with that gateway that will let it decrypt the data. Otherwise, the gateway may refuse to pass the traffic. So the application consents, a protocol library provides the gateway with a decryption key, and the application annotates the little padlock in the corner of the user's screen appropriately. If so desired, the application can implement a policy that the decrypted form of the user's credit card number won't be provided to any proxy or endpoint that doesn't have a certificate signed by Visa's credit card practices review authority. Take an intermediate problem. Assume that only address and port translation are required by the gateway. The application can therefore assume e2e payload authenticity and privacy, but cannot assume e2e privacy of its ports. So that means that the coverage and keying of IPsec and TLS needs to be negotiable based on the policies of intervening gateways (middleboxes). And that, of course, if predicated on the ability to locate middleboxes. Given our inability to rule out the need for gateways that change IP addresses (or other routing headers), this leads to the conclusion that applications shouldn't use any header field (IP address, port, etc.) for authentication. > If it turns out that we need some kind of routing identifier in the IPV6 > address, whether it's the dreaded 8+8 scheme, or adding another 16 byte > value in the header which router are free to muck with to our heart's > content, at some level, whatever, I don't care. I'm security guy, not a > routing guy, so I don't know what will work the best, and at some level, > I don't care --- just so long as it works, and that we have something > which *everyone* agrees will be an invariant end-point identifier, now > and forever, world without end, Amen. > > Otherwise, 5-7 years from now, we'll be using IPV6, and there will be a > need for some kind of routiing-gw/NAT boxes, and people will *still* be > complaning that it's all IPSEC's fault that IPSEC doesn't work through > NAT boxes, and the anti-NAT people will be complaining that the NAT > folks have changed the rules again. And all that work which the IPV6 > rollout folks have put into that project will in the end be for naught. As far as naming (who) versus routing (where) is concerned, endpoint naming seems as problematic as user naming is for X.509, etc. Why not apply the theory that a participant can be uniquely identified (but not necessarily located) by its key(s) and that no fixed mapping to or from a globally unique name (IP address) is necessary? Let's say a user sees a billboard and wants to communicate with what the billboard calls "www.cheapwidgets.com". Given a uniformly accepted DNS root or .com TLD, I would argue that DNSSEC can provide the verifiable chain to the key known as (.com's cheapwidgets's www). It will also provide a mapping to the current routing address (which could be a point of aggregation that knows a better local address). More sophisticated directory services (or SIP servers) can provide the same secure mapping to a key and/or DNS name. -- Mike Fisk, RADIANT Team, Network Engineering Group, Los Alamos National Lab See http://home.lanl.gov/mfisk/ for contact information
- Re: NATs *ARE* evil! Claus Färber
- NATs *ARE* evil! Sean Doran
- Re: NATs *ARE* evil! J. Noel Chiappa
- Re: NATs *ARE* evil! Jon Crowcroft
- Re: NATs *ARE* evil! Michael W. Condry
- Re: NATs *ARE* evil! Dennis Glatting
- Re: NATs *ARE* evil! Valdis.Kletnieks
- Re: NATs *ARE* evil! Scott Brim
- Re: NATs *ARE* evil! Jon Crowcroft
- Re: NATs *ARE* evil! Tony Dal Santo
- RE: NATs *ARE* evil! Iliff, Tina
- Re: NATs *ARE* evil! itojun
- Re: NATs *ARE* evil! Dennis Glatting
- Re: NATs *ARE* evil! Geoff Huston
- Re: NATs *ARE* evil! James Aldridge
- Re: NATs *ARE* evil! Keith Moore
- Re: NATs *ARE* evil! Frank Solensky
- Re: NATs *ARE* evil! Brian E Carpenter
- Re: NATs *ARE* evil! Frank Solensky
- Re: NATs *ARE* evil! David W. Morris
- Re: NATs *ARE* evil! Masataka Ohta
- Re: NATs *ARE* evil! Keith Moore
- Re: NATs *ARE* evil! Kurt Erik Lindqvist
- Re: NATs *ARE* evil! M Dev
- Re: NATs *ARE* evil! Keith Moore
- RE: NATs *ARE* evil! Dave Robinson
- Re: NATs *ARE* evil! Keith Moore
- Re: NATs *ARE* evil! Brian E Carpenter
- Re: NATs *ARE* evil! Scott Brim
- RE: NATs *ARE* evil! Dave Robinson
- Re: NATs *ARE* evil! Valdis.Kletnieks
- Re: NATs *ARE* evil! Keith Moore
- Re: NATs *ARE* evil! Keith Moore
- Re: NATs *ARE* evil! Keith Moore
- RE: NATs *ARE* evil! Iliff, Tina
- Re: NATs *ARE* evil! chris d koeberle
- Re: NATs *ARE* evil! Valdis.Kletnieks
- Re: NATs *ARE* evil! Brian E Carpenter
- RE: NATs *ARE* evil! Iliff, Tina
- RE: NATs *ARE* evil! David Higginbotham
- Re: NATs *ARE* evil! Matt Holdrege
- Re: NATs *ARE* evil! Melinda Shore
- RE: NATs *ARE* evil! Chris Millikin
- Re: NATs *ARE* evil! Michael Richardson
- RE: NATs *ARE* evil! Sean Doran
- RE: NATs *ARE* evil! Chris Millikin
- RE: NATs *ARE* evil! David Higginbotham
- Re: NATs *ARE* evil! J. Noel Chiappa
- RE: NATs *ARE* evil! Chris Millikin
- Re: NATs *ARE* evil! Stephen Sprunk
- Re: NATs *ARE* evil! Kevin Farley
- Re: NATs *ARE* evil! Scott Bradner
- Re: NATs *ARE* evil! Sean Doran
- Re: NATs *ARE* evil! Paul Ferguson
- Re: NATs *ARE* evil! Michael Richardson
- RE: NATs *ARE* evil! Pan Jung
- Re: NATs *ARE* evil! mcr
- Re: NATs *ARE* evil! Michael Richardson
- Re: NATs *ARE* evil! Keith Moore
- Re: NATs *ARE* evil! Keith Moore
- Re: NATs *ARE* evil! Keith Moore
- Re: NATs *ARE* evil! Perry E. Metzger
- Re: NATs *ARE* evil! J. Noel Chiappa
- Re: NATs *ARE* evil! Sean Doran
- Re: NATs *ARE* evil! Sean Doran
- Re: NATs *ARE* evil! J. Noel Chiappa
- Re: NATs *ARE* evil! Keith Moore
- Re: NATs *ARE* evil! Geoff Huston
- Re: NATs *ARE* evil! J. Noel Chiappa
- Re: NATs *ARE* evil! Perry E. Metzger
- Re: NATs *ARE* evil! Perry E. Metzger
- Re: NATs *ARE* evil! Bradley Dunn
- Re: NATs *ARE* evil! Jon Crowcroft
- Re: NATs *ARE* evil! Jon Crowcroft
- Re: NATs *ARE* evil! J. Noel Chiappa
- Re: NATs *ARE* evil! Keith Moore
- Re: NATs *ARE* evil! J. Noel Chiappa
- Re: NATs *ARE* evil! Perry E. Metzger
- Re: NATs *ARE* evil! Sean Doran
- Re: NATs *ARE* evil! RJ Atkinson
- Re: NATs *ARE* evil! Keith Moore
- Re: NATs *ARE* evil! J. Noel Chiappa
- Re: NATs *ARE* evil! Sean Doran
- Re: NATs *ARE* evil! Bradley Dunn
- Re: NATs *ARE* evil! J. Noel Chiappa
- Re: NATs *ARE* evil! Angelos D. Keromytis
- Re: NATs *ARE* evil! Perry E. Metzger
- Re: NATs *ARE* evil! Steven M. Bellovin
- Re: NATs *ARE* evil! Keith Moore
- Re: NATs *ARE* evil! Daniel Senie
- Re: NATs *ARE* evil! Perry E. Metzger
- Re: NATs *ARE* evil! Jon Crowcroft
- Re: NATs *ARE* evil! Kevin Farley
- Re: NATs *ARE* evil! Tony Dal Santo
- Re: NATs *ARE* evil! Jeffrey Altman
- Re: NATs *ARE* evil! Theodore Y. Ts'o
- Re: NATs *ARE* evil! Theodore Y. Ts'o
- Re: NATs *ARE* evil! Geoff Huston
- Re: NATs *ARE* evil! Geoff Huston
- Re: NATs *ARE* evil! Matt Crawford
- Re: NATs *ARE* evil! John Collis
- Re: NATs *ARE* evil! Mike Fisk
- Re: NATs *ARE* evil! Randy Bush
- RE: NATs *ARE* evil! RJ Atkinson
- Re: NATs *ARE* evil! RJ Atkinson
- Re: NATs *ARE* evil! Donald E. Eastlake 3rd
- Re: NATs *ARE* evil! Valdis.Kletnieks
- Re: NATs *ARE* evil! Donald E. Eastlake 3rd
- Re: NATs *ARE* evil! J. Noel Chiappa
- Re: NATs *ARE* evil! Theodore Y. Ts'o
- Re: NATs *ARE* evil! Theodore Y. Ts'o
- Re: NATs *ARE* evil! Steven M. Bellovin
- Re: NATs *ARE* evil! Ken Raeburn
- Re: NATs *ARE* evil! Matt Crawford
- Re: NATs *ARE* evil! Keith Moore
- Re: NATs *ARE* evil! Sean Doran
- Re: NATs *ARE* evil! Keith Moore
- Re: NATs *ARE* evil! Francis Dupont
- Re: NATs *ARE* evil! V Guruprasad
- Re: NATs *ARE* evil! Theodore Y. Ts'o
- Re: NATs *ARE* evil! Claus Färber
- Re: NATs *ARE* evil! Mike Fisk
- Re: NATs *ARE* evil! Steven M. Bellovin
- Re: NATs *ARE* evil! Jon Knight
- Re: NATs *ARE* evil! Theodore Y. Ts'o
- Re: NATs *ARE* evil! V Guruprasad
- Re: NATs *ARE* evil! V Guruprasad
- Re: NATs *ARE* evil! V Guruprasad
- Re: NATs *ARE* evil! John Stracke
- Re: NATs *ARE* evil! V Guruprasad
- Re: NATs *ARE* evil! John Stracke
- Re: NATs *ARE* evil! V Guruprasad
- Re: NATs *ARE* evil^H^H^H^Hmpls! Jon Crowcroft
- Re: NATs *ARE* evil! Harald Alvestrand
- Re: NATs *ARE* evil! Mike Fisk
- Re: NATs *ARE* evil! Denis Mcmahon
- Re: NATs *ARE* evil! Matt Holdrege
- Re: NATs *ARE* evil! V Guruprasad
- Re: NATs *ARE* evil! Sam Liang
- Re: NATs *ARE* evil! Fred Baker
- Re: NATs *ARE* evil! Fred Baker
- Re: NATs *ARE* evil! Fred Baker
- Re: NATs *ARE* evil! Sean Doran
- Re: NATs *ARE* evil! Fred Baker
- Re: NATs *ARE* evil! Keith Moore
- Re: NATs *ARE* evil! V Guruprasad
- Re: NATs *ARE* evil! Sean Doran
- Re: NATs *ARE* evil! Keith Moore
- Re: NATs *ARE* evil! V Guruprasad
- Re: NATs *ARE* evil! Keith Moore
- Re: NATs *ARE* evil! V Guruprasad
- Re: NATs *ARE* evil! Kai Henningsen