This is a discussion on Re: Some Observations on Entropy Re: Some observations on dns-0x20 - DNS ; > > If you are NAT'd the port number MAY offer you no protection. > > There are NAT's which attempt to preserve port numbers and > > actually do a pretty good job of doing that. > > > ...
> > If you are NAT'd the port number MAY offer you no protection.
> > There are NAT's which attempt to preserve port numbers and
> > actually do a pretty good job of doing that.
> > If you are NAT'd the NAT MAY provide protection for nameservers
> > that do not randomize their source ports by randomising the
> > source port as a side effect of the NAT process.
> > There are also NAT's which serialize the ports and NAT's
> > which only emit one port and potentially serialize the qid
> > as well.
> Can we please make a distinction between plain NATs (which only affect
> TCP/UDP and IP headers) and proxies (or ALGs) which manipulate the
> protocol at higher levels?
> I've never seen a NAT which affects QIDs. I've seen plenty of ALGs that
> do, though, many of which did indeed pick serial QIDs
I agree with you that there is a difference. The problem
of course is that you often don't know that a ALG is also
installed in the NAT box.
You generally buy a NAT (router in some markets) and have
no idea of what's inside as the vendors don't give you
enough details. You are also often not in a position to
see the traffic on both sides as the upstream may be a
cable/dsl modem and not ethernet.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org
to unsubscribe send a message to email@example.com with
the word 'unsubscribe' in a single line as the message text body.