> On Aug 28, 2008, at 5:04 PM, Mark Andrews wrote:
> >
> > I agree with you that there is a difference. The problem
> > of course is that you often don't know that a ALG is also
> > installed in the NAT box.
> >
> > You generally buy a NAT (router in some markets) and have
> > no idea of what's inside as the vendors don't give you
> > enough details. You are also often not in a position to
> > see the traffic on both sides as the upstream may be a
> > cable/dsl modem and not ethernet.

> However, for purposes of building a DNS resolver, you can probe for
> the detailed behavior, including port, ID, IP, etc, by querying a
> properly constructed authority, so you can be in a position to see
> both sides of the traffic: you just have to ask somebody who will tell
> you the other side.
> {port,txid,server}.{anything}.nettest.icir.org is one protoype example.
> This works in all cases where the NAT/proxy is not malicious
> (deliberately whitelisting the tests) and who's behavior doesn't
> change (you can always repoll to check for changed behaviors at a
> reasonable interval, however).
> For a malicious proxy in path, you are sunk however, but with a
> malicious proxy in path, you are sunk period.

And one really wants a solution where you don't need to care about
whether the port or txid are being changed or not. You also want
one where you can detect a malicious proxy / cache.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org

to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.