Block all servers?

Not in the general case, no. See draft-aboba-nat-ipsec-04.txt if you
can find a copy.

    --Steve Bellovin, http://www.research.att.com/~smb

This internet draft is available at:

http://quimby.gnus.org/internet-drafts/draft-aboba-nat-ipsec-04.txt

I can't figure out if anything happened with this draft (I'm guessing
nothing went on). The draft expired on December 1, 2001.

bye,
ken emery

This internet draft is available at:
http://quimby.gnus.org/internet-drafts/draft-aboba-nat-ipsec-04.txt

Ken Emery wrote:

I can't figure out if anything happened with
this draft (I'm guessing nothing went on). The
draft expired on December 1, 2001.

IPSec NAT Traversal is still being standardized, but has already been
implemented in a good number of products. Current drafts:

http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-t-ike-07.txt
http://www.ietf.org/internet-drafts/draft-ietf-ipsec-udp-encaps-06.txt
http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-reqts-05.txt

Jon Lewis wrote:

But why all this talk of NAT? Even if we all
universally deployed it on monday, it wouldn't
solve the problem. All it would do is keep the
spammer/hackers from turning grandma's PC into a
web server/proxy.

As well as preventing infection from worms like Blaster, and so forth.
It's hard to imagine one solution solving the entire laundry list of
problems. One step at a time.

That being said, NAT does break stuff and as has been mentioned,
filtering is certainly possible without having to bring NAT into the
mix. Microsoft assures us that the Windows firewall will be enabled by
default starting with WinXP patches early next year. How easy will it
be to turn it off? Will a virus be able to do it for you?

-Terry

Terry Baranski wrote:

That being said, NAT does break stuff and as has been mentioned,
filtering is certainly possible without having to bring NAT into the
mix. Microsoft assures us that the Windows firewall will be enabled by
default starting with WinXP patches early next year. How easy will it
be to turn it off? Will a virus be able to do it for you?

I would expect most new sophisticated trojans to include this functionality. Most home
users run their WinXP with "Local Administrator" rights anyway because othervise many
activities would be more complicated to accomplish. Many turn off AV products already.

I would also expect the sophisticated trojans to include NATPT like funcitionality when
it becomes neccessary to accumulate the needed number of zombies for effective
DDoS and other distruptive activities. We already see them utilizing the local
SMTP configuration on the machine to use the relays the user is supposed to.

The Road Ahead is to make DDoS and abuse mitigation more efficient
and put some real security into the application architechtures without making them unusable.

Pete

Pete