Re: [BEHAVE] Very late query on stateful NAT64
Brian E Carpenter <brian.e.carpenter@gmail.com> Fri, 22 October 2010 03:03 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8D9733A6836 for <behave@core3.amsl.com>; Thu, 21 Oct 2010 20:03:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.58
X-Spam-Level:
X-Spam-Status: No, score=-102.58 tagged_above=-999 required=5 tests=[AWL=0.019, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zp0upLgPV827 for <behave@core3.amsl.com>; Thu, 21 Oct 2010 20:03:39 -0700 (PDT)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by core3.amsl.com (Postfix) with ESMTP id 69D4F3A682F for <behave@ietf.org>; Thu, 21 Oct 2010 20:03:39 -0700 (PDT)
Received: by ywo32 with SMTP id 32so296185ywo.31 for <behave@ietf.org>; Thu, 21 Oct 2010 20:05:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :organization:user-agent:mime-version:to:cc:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=7lsyCla5GAwlGD8YugVqLnP6gruQhf+K4QiYQk//ZC8=; b=Lz1fcuIZxOWFaDnzPYbthZQiTR+oGWDAEY1w/ZHaoPwRFImS1oxtYASw9dJwsS6f5X IvrNqEf3GFMkLQaKoiThE7c6cm3eKmJe3+IqMRXzxjZF95dnQ20HS944FZLTT15VJoo9 BsBu8WJ9/0UJFs2cL93Jnv3d95p7Repe1FQLk=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; b=EDTfcxt2qURF7s/sk/1crFpTC8DWKrxcDAtqaltiFze5D778YpNXngf6Uk3gX76c+A nmQrIeM0+kn/Oe1utEVw81rmw55VoPtiPBex1ruy/Tcdzt2Rirq4GgPIePEXmeEW2bOw 977wKubJZc5QvsmY1Zq+SAwlJNfq8Cj8jMaco=
Received: by 10.229.233.10 with SMTP id jw10mr1321043qcb.110.1287716716005; Thu, 21 Oct 2010 20:05:16 -0700 (PDT)
Received: from [130.216.38.124] (stf-brian.sfac.auckland.ac.nz [130.216.38.124]) by mx.google.com with ESMTPS id l14sm2167951qck.5.2010.10.21.20.05.13 (version=SSLv3 cipher=RC4-MD5); Thu, 21 Oct 2010 20:05:15 -0700 (PDT)
Message-ID: <4CC0FF64.4020100@gmail.com>
Date: Fri, 22 Oct 2010 16:05:08 +1300
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Reinaldo Penno <rpenno@juniper.net>
References: <C8E64B34.2D91A%rpenno@juniper.net>
In-Reply-To: <C8E64B34.2D91A%rpenno@juniper.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: Se-young Yu <syu051@aucklanduni.ac.nz>, "behave@ietf.org" <behave@ietf.org>, Dave Thaler <dthaler@microsoft.com>
Subject: Re: [BEHAVE] Very late query on stateful NAT64
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Oct 2010 03:03:40 -0000
On 2010-10-22 15:55, Reinaldo Penno wrote: > Hello , > > Comments inline. > > > On 10/21/10 6:25 PM, "Brian E Carpenter" <brian.e.carpenter@gmail.com> > wrote: > >> On 2010-10-22 13:38, Dave Thaler wrote: >>>> -----Original Message----- >>>> From: behave-bounces@ietf.org [mailto:behave-bounces@ietf.org] On Behalf >>>> Of Brian E Carpenter >>>> Sent: Thursday, October 21, 2010 3:48 PM >>>> To: behave@ietf.org >>>> Cc: Se-young Yu >>>> Subject: [BEHAVE] Very late query on stateful NAT64 >>>> >>>> Hi, >>>> >>>> The security considerations of the RFC-to-be draft-ietf-behave-v6v4-xlate- >>>> stateful-12 >>>> include this: >>>> >>>>> Another consideration related to NAT64 resource depletion refers to >>>>> the preservation of binding state. Attackers may try to keep a >>>>> binding state alive forever by sending periodic packets that refresh >>>>> the state. In order to allow the NAT64 to defend against such >>>>> attacks, the NAT64 MAY choose not to extend the session entry >>>>> lifetime for a specific entry upon the reception of packets for that >>>>> entry through the external interface. >>>> How does the NAT64 distinguish between malicious keep-alives and genuine >>>> packets of a one-way UDP flow of some kind? We don't see how this can be >>>> implemented. >>> My understanding is that this is no different from stateful NAT44... >>> Many NAT44s require packets in the outbound direction in order to keep >>> the mapping alive. So you can have a one-way UDP flow in the outbound >>> direction just fine. But if you want a one-way UDP flow in the inbound >>> direction, > > How can an unidirectional inbound flow go through a NAPT? I would assume there were one or two outbound packets to start the session. > >>> this will time out and break unless you periodically send something in the >>> outbound direction. Not all NATs do this, but some do. Hence the MAY. >> Hmmph. MAY implies that this is reasonable behaviour. I'd have preferred to >> see this phrased as a warning about possible misbehaviour by NATs, rather >> than as a permitted "security" mechanism. Well, it isn't worth calling >> the document back from the RFC Editor for this, but I would have >> argued the point if I'd been aware of it earlier. > > Such discussion is present in RFC4787 as well - REQ-6. > >> This is yet another reason why people are misusing HTTP to carry real time >> streaming data, I suppose: NATs might arbitrarily interrupt legitimate >> UDP streams. > > I disagree. It is because of RTSP ALGs, ubiquity of HTTP clients and APIs in > every device, from iPhone to large desktop, availability of HTTP streaming > servers, authentication, etc. Well, it all started because HTTP gets through NATs and firewalls. The things you mentioned came afterwards. Brian
- [BEHAVE] Very late query on stateful NAT64 Brian E Carpenter
- Re: [BEHAVE] Very late query on stateful NAT64 Dave Thaler
- Re: [BEHAVE] Very late query on stateful NAT64 Brian E Carpenter
- Re: [BEHAVE] Very late query on stateful NAT64 Reinaldo Penno
- Re: [BEHAVE] Very late query on stateful NAT64 Brian E Carpenter
- Re: [BEHAVE] Very late query on stateful NAT64 Reinaldo Penno
- Re: [BEHAVE] Very late query on stateful NAT64 Dave Thaler
- Re: [BEHAVE] Very late query on stateful NAT64 Dan Wing
- Re: [BEHAVE] Very late query on stateful NAT64 Dan Wing
- Re: [BEHAVE] Very late query on stateful NAT64 marcelo bagnulo braun
- Re: [BEHAVE] Very late query on stateful NAT64 Dave Thaler
- Re: [BEHAVE] Very late query on stateful NAT64 Brian E Carpenter