Re: [BEHAVE] Very late query on stateful NAT64
Dave Thaler <dthaler@microsoft.com> Fri, 22 October 2010 00:37 UTC
Return-Path: <dthaler@microsoft.com>
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 206A13A67DB for <behave@core3.amsl.com>; Thu, 21 Oct 2010 17:37:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.462
X-Spam-Level:
X-Spam-Status: No, score=-110.462 tagged_above=-999 required=5 tests=[AWL=0.137, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0kTHLK4Ya8jS for <behave@core3.amsl.com>; Thu, 21 Oct 2010 17:36:58 -0700 (PDT)
Received: from smtp.microsoft.com (maila.microsoft.com [131.107.115.212]) by core3.amsl.com (Postfix) with ESMTP id 8C9183A67DA for <behave@ietf.org>; Thu, 21 Oct 2010 17:36:57 -0700 (PDT)
Received: from TK5EX14HUBC102.redmond.corp.microsoft.com (157.54.7.154) by TK5-EXGWY-E801.partners.extranet.microsoft.com (10.251.56.50) with Microsoft SMTP Server (TLS) id 8.2.176.0; Thu, 21 Oct 2010 17:38:27 -0700
Received: from TK5EX14MLTW651.wingroup.windeploy.ntdev.microsoft.com (157.54.71.39) by TK5EX14HUBC102.redmond.corp.microsoft.com (157.54.7.154) with Microsoft SMTP Server (TLS) id 14.1.255.3; Thu, 21 Oct 2010 17:38:27 -0700
Received: from TK5EX14MBXW601.wingroup.windeploy.ntdev.microsoft.com ([169.254.1.172]) by TK5EX14MLTW651.wingroup.windeploy.ntdev.microsoft.com ([157.54.71.39]) with mapi; Thu, 21 Oct 2010 17:38:28 -0700
From: Dave Thaler <dthaler@microsoft.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>, "behave@ietf.org" <behave@ietf.org>
Thread-Topic: [BEHAVE] Very late query on stateful NAT64
Thread-Index: AQHLcXIWiMsNFaW94EKhTGeKB100qpNMH3gQ
Date: Fri, 22 Oct 2010 00:38:26 +0000
Message-ID: <9B57C850BB53634CACEC56EF4853FF6534328FB8@TK5EX14MBXW601.wingroup.windeploy.ntdev.microsoft.com>
References: <4CC0C319.1040400@gmail.com>
In-Reply-To: <4CC0C319.1040400@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Se-young Yu <syu051@aucklanduni.ac.nz>
Subject: Re: [BEHAVE] Very late query on stateful NAT64
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Oct 2010 00:37:00 -0000
> -----Original Message----- > From: behave-bounces@ietf.org [mailto:behave-bounces@ietf.org] On Behalf > Of Brian E Carpenter > Sent: Thursday, October 21, 2010 3:48 PM > To: behave@ietf.org > Cc: Se-young Yu > Subject: [BEHAVE] Very late query on stateful NAT64 > > Hi, > > The security considerations of the RFC-to-be draft-ietf-behave-v6v4-xlate- > stateful-12 > include this: > > > Another consideration related to NAT64 resource depletion refers to > > the preservation of binding state. Attackers may try to keep a > > binding state alive forever by sending periodic packets that refresh > > the state. In order to allow the NAT64 to defend against such > > attacks, the NAT64 MAY choose not to extend the session entry > > lifetime for a specific entry upon the reception of packets for that > > entry through the external interface. > > How does the NAT64 distinguish between malicious keep-alives and genuine > packets of a one-way UDP flow of some kind? We don't see how this can be > implemented. My understanding is that this is no different from stateful NAT44... Many NAT44s require packets in the outbound direction in order to keep the mapping alive. So you can have a one-way UDP flow in the outbound direction just fine. But if you want a one-way UDP flow in the inbound direction, this will time out and break unless you periodically send something in the outbound direction. Not all NATs do this, but some do. Hence the MAY. -Dave
- [BEHAVE] Very late query on stateful NAT64 Brian E Carpenter
- Re: [BEHAVE] Very late query on stateful NAT64 Dave Thaler
- Re: [BEHAVE] Very late query on stateful NAT64 Brian E Carpenter
- Re: [BEHAVE] Very late query on stateful NAT64 Reinaldo Penno
- Re: [BEHAVE] Very late query on stateful NAT64 Brian E Carpenter
- Re: [BEHAVE] Very late query on stateful NAT64 Reinaldo Penno
- Re: [BEHAVE] Very late query on stateful NAT64 Dave Thaler
- Re: [BEHAVE] Very late query on stateful NAT64 Dan Wing
- Re: [BEHAVE] Very late query on stateful NAT64 Dan Wing
- Re: [BEHAVE] Very late query on stateful NAT64 marcelo bagnulo braun
- Re: [BEHAVE] Very late query on stateful NAT64 Dave Thaler
- Re: [BEHAVE] Very late query on stateful NAT64 Brian E Carpenter