[ih] The invention of what we now call NAT

Vint Cerf vint at google.com
Tue Apr 22 15:18:01 PDT 2025 

The BCR project (DARPA/NSA) used TCP embedded in an encrypted TCP layer not
unlike what Karl is describing. Later, IPSEC could be used to carry
encrypted TCP as payload.

On the Arpanet, SRI built a "port expander" which allowed up to 4 hosts to
be connected through what would otherwise have been a single port for a
host - using some extra bits in the TCP header. Documented at DTIC
<https://apps.dtic.mil/sti/tr/pdf/ADA156186.pdf#:~:text=ARPANET%2C%20substitution%20of%20a%20connection%20by%20means%20of%20the%20port%20expander%20in&text=This%20allows%20one.%20NCP%2Dbased%20host%20and%20several%20TCP%2Dbased%20hosts%20to%20be>

Not a NAT, but a way of expanding Arpanet IMP address space using bits in
the TCP/IP header.

v


On Tue, Apr 22, 2025 at 4:17 PM Karl Auerbach via Internet-history <
internet-history at elists.isoc.org> wrote:

> In the mid 1970's our group (Dave Kaufman, Frank Heinrich, etc, and
> myself, under the management of Gerry Cole and Clark Weissman) at SDC
> (System Development Corporation) worked on a then classified project.
> (We worked with various US based agencies and a bit with RSRE in the UK
> - where I had the privilege of getting to do some work with Donald Davies.)
>
> We didn't do NAT in the sense of doing address translation.  Rather we
> created an entire overlay network with its own IP address space.  (This
> was done in the very early days of TCP - before the formal development
> of IP, although we arrived at the same conclusion as others, that there
> ought to be some sort of formalized datagram layer underneath TCP - we
> used that notion of an underlying layer as a way to insert our security
> system.  What was strange to today's eyes was that we used an underlying
> TCP based network as our datagram layer, so we effectively ended up with
> TCP over TCP.)
>
> Our architecture included what we would today call a "tunnel".
> (Actually, many encrypted tunnels, each with its own security level,
> plus a key management system.)
>
> We actually built it, it worked, and I heard that it was put into actual
> worldwide production.  (My group did most of the security kernel
> design/implementation, David, and if I remember correctly, along with
> Carl Sunshine, did more of the protocol design, and Frank, David, and I
> collaborated on the key management and access control system.  Security
> policy and software verification was done by Marv Schaeffer, Hillary O.,
> Val Schorre, Tom Hinke, John Schied - I am sure I misspelled several of
> those names.)
>
> I've chatted with Dave Kaufman about this and we both are quite unclear
> whether, even today, fifty years later, we can say much about what we
> designed and implemented.
>
> (On a personal basis, my mind wonders how I managed to do all of this
> while at the same time attending law school.)
>
>         --karl--
>
>
> --
> Internet-history mailing list
> Internet-history at elists.isoc.org
> https://elists.isoc.org/mailman/listinfo/internet-history
>


-- 
Please send any postal/overnight deliveries to:
Vint Cerf
Google, LLC
1900 Reston Metro Plaza, 16th Floor
Reston, VA 20190
+1 (571) 213 1346


until further notice

More information about the Internet-history mailing list