> > If you are NAT'd the port number MAY offer you no protection.
> > There are NAT's which attempt to preserve port numbers and
> > actually do a pretty good job of doing that.
> >
> > If you are NAT'd the NAT MAY provide protection for nameservers
> > that do not randomize their source ports by randomising the
> > source port as a side effect of the NAT process.
> >
> > There are also NAT's which serialize the ports and NAT's
> > which only emit one port and potentially serialize the qid
> > as well.

> Mark,
> Can we please make a distinction between plain NATs (which only affect
> TCP/UDP and IP headers) and proxies (or ALGs) which manipulate the
> protocol at higher levels?
> I've never seen a NAT which affects QIDs. I've seen plenty of ALGs that
> do, though, many of which did indeed pick serial QIDs
> Ray

I agree with you that there is a difference. The problem
of course is that you often don't know that a ALG is also
installed in the NAT box.

You generally buy a NAT (router in some markets) and have
no idea of what's inside as the vendors don't give you
enough details. You are also often not in a position to
see the traffic on both sides as the upstream may be a
cable/dsl modem and not ethernet.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org

to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.