IETF Logo Mail Archive

Re: [BEHAVE] Very late query on stateful NAT64

"Dan Wing" <dwing@cisco.com> Fri, 22 October 2010 16:49 UTC

Return-Path: <dwing@cisco.com>
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7F99E3A6826 for <behave@core3.amsl.com>; Fri, 22 Oct 2010 09:49:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.466
X-Spam-Level:
X-Spam-Status: No, score=-110.466 tagged_above=-999 required=5 tests=[AWL=0.133, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gmv1fYQCcXxN for <behave@core3.amsl.com>; Fri, 22 Oct 2010 09:49:45 -0700 (PDT)
Received: from rtp-iport-2.cisco.com (rtp-iport-2.cisco.com [64.102.122.149]) by core3.amsl.com (Postfix) with ESMTP id 6DB533A67AD for <behave@ietf.org>; Fri, 22 Oct 2010 09:49:45 -0700 (PDT)
Authentication-Results: rtp-iport-2.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av0EAFdewUxAZnwN/2dsb2JhbACVFIxPcaRqnBqFSgSEVg
X-IronPort-AV: E=Sophos;i="4.58,224,1286150400"; d="scan'208";a="173907827"
Received: from rtp-core-2.cisco.com ([64.102.124.13]) by rtp-iport-2.cisco.com with ESMTP; 22 Oct 2010 16:51:23 +0000
Received: from dwingWS (rtp-vpn3-1403.cisco.com [10.82.221.129]) by rtp-core-2.cisco.com (8.13.8/8.14.3) with ESMTP id o9MGpLuZ004628; Fri, 22 Oct 2010 16:51:22 GMT
From: Dan Wing <dwing@cisco.com>
To: 'Brian E Carpenter' <brian.e.carpenter@gmail.com>, 'Dave Thaler' <dthaler@microsoft.com>
References: <4CC0C319.1040400@gmail.com> <9B57C850BB53634CACEC56EF4853FF6534328FB8@TK5EX14MBXW601.wingroup.windeploy.ntdev.microsoft.com> <4CC0E80D.8060800@gmail.com>
In-Reply-To: <4CC0E80D.8060800@gmail.com>
Date: Fri, 22 Oct 2010 09:51:21 -0700
Message-ID: <449501cb7209$5bd7e9e0$1387bda0$@com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: ActxiAcr/knmjKkRR0qiQuEs8FhiIgAgQxoA
Content-Language: en-us
Cc: 'Se-young Yu' <syu051@aucklanduni.ac.nz>, behave@ietf.org
Subject: Re: [BEHAVE] Very late query on stateful NAT64
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Oct 2010 16:49:46 -0000

> -----Original Message-----
> From: behave-bounces@ietf.org [mailto:behave-bounces@ietf.org] On
> Behalf Of Brian E Carpenter
> Sent: Thursday, October 21, 2010 6:26 PM
> To: Dave Thaler
> Cc: Se-young Yu; behave@ietf.org
> Subject: Re: [BEHAVE] Very late query on stateful NAT64
> 
> On 2010-10-22 13:38, Dave Thaler wrote:
> >> -----Original Message-----
> >> From: behave-bounces@ietf.org [mailto:behave-bounces@ietf.org] On
> Behalf
> >> Of Brian E Carpenter
> >> Sent: Thursday, October 21, 2010 3:48 PM
> >> To: behave@ietf.org
> >> Cc: Se-young Yu
> >> Subject: [BEHAVE] Very late query on stateful NAT64
> >>
> >> Hi,
> >>
> >> The security considerations of the RFC-to-be draft-ietf-behave-v6v4-
> xlate-
> >> stateful-12
> >> include this:
> >>
> >>>    Another consideration related to NAT64 resource depletion refers
> to
> >>>    the preservation of binding state.  Attackers may try to keep a
> >>>    binding state alive forever by sending periodic packets that
> refresh
> >>>    the state.  In order to allow the NAT64 to defend against such
> >>>    attacks, the NAT64 MAY choose not to extend the session entry
> >>>    lifetime for a specific entry upon the reception of packets for
> that
> >>>    entry through the external interface.
> >> How does the NAT64 distinguish between malicious keep-alives and
> genuine
> >> packets of a one-way UDP flow of some kind? We don't see how this
> can be
> >> implemented.
> >
> > My understanding is that this is no different from stateful NAT44...
> > Many NAT44s require packets in the outbound direction in order to
> keep
> > the mapping alive.  So you can have a one-way UDP flow in the
> outbound
> > direction just fine.  But if you want a one-way UDP flow in the
> inbound direction,
> > this will time out and break unless you periodically send something
> in the
> > outbound direction.   Not all NATs do this, but some do.   Hence the
> MAY.
> 
> Hmmph. MAY implies that this is reasonable behaviour. I'd have
> preferred to
> see this phrased as a warning about possible misbehaviour by NATs,
> rather
> than as a permitted "security" mechanism. Well, it isn't worth calling
> the document back from the RFC Editor for this, but I would have
> argued the point if I'd been aware of it earlier.
> 
> This is yet another reason why people are misusing HTTP to carry real
> time
> streaming data, I suppose: NATs might arbitrarily interrupt legitimate
> UDP streams.

HTTP (over TCP) has these very convenient TCP ACKs which indicate
the (internal) host enjoyed consuming the data.

If for a UDP flow the internal host doesn't burp a UDP packet 
occasionally, the NAT has no indication the internal host is alive, 
cared, wanted, or enjoyed the data.  The NAT has to destroy the UDP 
state at some point, or else its state table is full of incoming
UDP flows for movies or whatever content was being UDP streamed
long after the receiving system crashed or was disconnected from
the network.

-d

v2.23.0 | Report a Bug | By Email