[13313] in North American Network Operators' Group
Re: NAT etc. (was: Spam Control Considered Harmful)
daemon@ATHENA.MIT.EDU (Jay R. Ashworth)
Sun Nov 2 12:12:30 1997
Date: Sun, 2 Nov 1997 12:01:43 -0500
From: "Jay R. Ashworth" <jra@scfn.thpl.lib.fl.us>
To: Tim Salo <salo@networkcs.com>
Cc: nanog@merit.edu
In-Reply-To: <199711020144.TAA15776@uh.msc.edu>; from Tim Salo <salo@networkcs.com> on Sat, Nov 01, 1997 at 07:44:55PM -0600
On Sat, Nov 01, 1997 at 07:44:55PM -0600, Tim Salo wrote:
> > Date: Sat, 1 Nov 1997 17:37:57 -0500
> > From: "Jay R. Ashworth" <jra@scfn.thpl.lib.fl.us>
> > To: "You're welcome" <nanog@merit.edu>
> > Subject: Re: NAT etc. (was: Spam Control Considered Harmful)
> > [...]
> > Well, yes, Paul, but unless I misunderstood you, that's exactly the
> > point. If a client inside a NAT cloud does a DNS lookup to a
> > supposedly authoritative server outside, and the NAT box is _required_
> > to strip off the signature (which it would, because it has to change
> > the data), then it's not possibile, by definition, for any client
> > inside such a NAT box to make any use of SecDNS.
> >
> > The point is that you _can't_ regenerate the signature, usefully to the
> > client, anyway, precisely because _it is a signature_.
>
> Presumably, the NAT could,
>
> o Verify the signature of the DNS responses it receives, and
> dump any responses that don't meet its [authentication]
> criteria, or
>
> o Sign the the response it creates and let the client verify
> the NAT's signature. Presumably, the client will trust
> the NAT.
Yup, it could, but as I noted to Paul, in the cases Sean is advocating,
the client and the NAT box may not be within the same span of
administration, either. IE: no, you may _not_ trust the NAT op.
Cheers,
-- jra
--
Jay R. Ashworth jra@baylink.com
Member of the Technical Staff Unsolicited Commercial Emailers Sued
The Suncoast Freenet "Pedantry. It's not just a job, it's an
Tampa Bay, Florida adventure." -- someone on AFU +1 813 790 7592
