Re: [BEHAVE] Security issues when an IPv4 address is shared bydifferent CPE
"Dan Wing" <dwing@cisco.com> Sat, 20 December 2008 02:08 UTC
Return-Path: <behave-bounces@ietf.org>
X-Original-To: behave-archive@optimus.ietf.org
Delivered-To: ietfarch-behave-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 77ACD3A68A0; Fri, 19 Dec 2008 18:08:48 -0800 (PST)
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1F9983A68A0 for <behave@core3.amsl.com>; Fri, 19 Dec 2008 18:08:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.568
X-Spam-Level:
X-Spam-Status: No, score=-6.568 tagged_above=-999 required=5 tests=[AWL=0.031, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yr1DscdrQnBg for <behave@core3.amsl.com>; Fri, 19 Dec 2008 18:08:46 -0800 (PST)
Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by core3.amsl.com (Postfix) with ESMTP id 3A3003A6877 for <behave@ietf.org>; Fri, 19 Dec 2008 18:08:46 -0800 (PST)
X-IronPort-AV: E=Sophos;i="4.36,252,1228089600"; d="scan'208";a="216670335"
Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-6.cisco.com with ESMTP; 20 Dec 2008 02:08:38 +0000
Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-3.cisco.com (8.12.11/8.12.11) with ESMTP id mBK28cCE003128; Fri, 19 Dec 2008 18:08:38 -0800
Received: from dwingwxp01 ([10.32.240.196]) by sj-core-5.cisco.com (8.13.8/8.13.8) with ESMTP id mBK28cUj021039; Sat, 20 Dec 2008 02:08:38 GMT
From: Dan Wing <dwing@cisco.com>
To: "'Eric Vyncke (evyncke)'" <evyncke@cisco.com>, behave@ietf.org
References: <CE2BF2A7B1008C459FD7978065C6ECE007ED8C62@xmb-ams-33a.emea.cisco.com>
Date: Fri, 19 Dec 2008 18:08:38 -0800
Message-ID: <044101c96247$df5290a0$c4f0200a@cisco.com>
MIME-Version: 1.0
X-Mailer: Microsoft Office Outlook 11
In-Reply-To: <CE2BF2A7B1008C459FD7978065C6ECE007ED8C62@xmb-ams-33a.emea.cisco.com>
Thread-Index: AclTx//sGV+/+gfwQ9OWvzA81vNDAQOfpUZw
X-Mimeole: Produced By Microsoft MimeOLE V6.00.2900.3350
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=2784; t=1229738918; x=1230602918; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing@cisco.com; z=From:=20=22Dan=20Wing=22=20<dwing@cisco.com> |Subject:=20RE=3A=20[BEHAVE]=20Security=20issues=20when=20a n=20IPv4=20address=20is=20shared=20bydifferent=20CPE |Sender:=20; bh=iJll8EOlh3jFOfInQyngoPxoLnVmQeZsOKuqJyYj9/o=; b=lW4VRI6zkKIC+DBcNES6dLP2Lju+HtBi7UuW+w8OQn/NVids0KD++u4PXq qbWtc/Ai344qbUBGvvc34qMmSLEekCfocl+eLW66YteaTA+5+c015Tl7sh6t AjHSe9uM2F;
Authentication-Results: sj-dkim-3; header.From=dwing@cisco.com; dkim=pass ( sig from cisco.com/sjdkim3002 verified; );
Cc: draft-gont-behave-nat-security@tools.ietf.org
Subject: Re: [BEHAVE] Security issues when an IPv4 address is shared bydifferent CPE
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: behave-bounces@ietf.org
Errors-To: behave-bounces@ietf.org
> -----Original Message----- > From: behave-bounces@ietf.org > [mailto:behave-bounces@ietf.org] On Behalf Of Eric Vyncke (evyncke) > Sent: Monday, December 01, 2008 7:18 AM > To: behave@ietf.org > Subject: [BEHAVE] Security issues when an IPv4 address is > shared bydifferent CPE > > Not sure whether this is the right place to post (notably > because it is not about NAT 66 ;-))... > > Several proposals around 'carrier grade NAT' share one public > IPv4 address among several CPEs. While it is common now to > 'share' on public IPv4 on a CPE among all hosts within the > same home, sharing a public IPv4 address among several CPE is > a vastly different threat model. Eric, Your list of security issues also applies to the port range proposals (draft-despres-sam, draft-ymbk-aplusp). At this point, the best place for text such as yours is probably draft-gont-behave-nat-security. However, that document is specific to NAT right now but the authors might be able to expand the document's scope to also discuss the general security issues of sharing addresses. There is also text in Section 9.1 of draft-wing-nat-pt-replacement-comparison that could be lifted. I expect that document will probably die. -d > 1) PMTUD: if a malicious CPE is connected to the same server > as a normal CPE, then the malicious CPE can send ICMP > packet_too_big to reduce the used MTU between this server and > _ALL_ CPE sharing the public IPv4 address. This will slow > down the traffic from this server because the PMTUD cache is > on a per host basis AFAIK. > > 2) FATE SHARING: if the same malicious CPE launches some kind > of attack against a server, then the server will probably > react by black listing the IPv4 address... Also preventing > all other CPE to connect to this server. > > 3) LOG CONFUSION: IPv4 servers are heavily relying on the > fact that one IPv4 address maps to a single user. Correlation > between actions (often used in the case of security incident > 'what kind of damages has the bad guy done?') becomes mostly > impossible. Similar to this would be the confusion of some > 'dumb' load balancers. > > And another issue is ID collision (not really a security > issue tough) but a malicious CPE could send IP datagram to > the 'shared' server with a good chance of ID collision among > all the hosts behind so many CPE. If packets are fragmented, > this will become really really difficult to de-fragment correctly. > > Just my 0,01 EUR > > -éric > _______________________________________________ > Behave mailing list > Behave@ietf.org > https://www.ietf.org/mailman/listinfo/behave _______________________________________________ Behave mailing list Behave@ietf.org https://www.ietf.org/mailman/listinfo/behave
- [BEHAVE] Security issues when an IPv4 address is … Eric Vyncke (evyncke)
- Re: [BEHAVE] Security issues when an IPv4 address… Rémi Denis-Courmont
- Re: [BEHAVE] Security issues when an IPv4 address… Mark Andrews
- Re: [BEHAVE] Security issues when an IPv4 address… Philip Matthews
- Re: [BEHAVE] Security issues when an IPv4 address… Fernando Gont
- Re: [BEHAVE] Security issues when an IPv4 address… Dan Wing