IETF Logo Mail Archive

Re: [BEHAVE] Comments todraft-ietf-behave-v6v4-xlate-stateful-01.txt

"Dan Wing" <dwing@cisco.com> Wed, 15 July 2009 19:34 UTC

Return-Path: <dwing@cisco.com>
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5D2B73A6B86 for <behave@core3.amsl.com>; Wed, 15 Jul 2009 12:34:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.473
X-Spam-Level:
X-Spam-Status: No, score=-6.473 tagged_above=-999 required=5 tests=[AWL=0.126, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id veQx7qKmZ23o for <behave@core3.amsl.com>; Wed, 15 Jul 2009 12:34:29 -0700 (PDT)
Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by core3.amsl.com (Postfix) with ESMTP id 819233A6C46 for <behave@ietf.org>; Wed, 15 Jul 2009 12:34:18 -0700 (PDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ApsEAE3MXUqrR7PD/2dsb2JhbACLCK50iCORDwWECYFC
X-IronPort-AV: E=Sophos;i="4.42,406,1243814400"; d="scan'208";a="347334827"
Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-6.cisco.com with ESMTP; 15 Jul 2009 19:33:53 +0000
Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-3.cisco.com (8.12.11/8.12.11) with ESMTP id n6FJXrf4006052; Wed, 15 Jul 2009 12:33:53 -0700
Received: from dwingwxp01 ([10.32.240.196]) by sj-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id n6FJXrGR015058; Wed, 15 Jul 2009 19:33:53 GMT
From: Dan Wing <dwing@cisco.com>
To: 'Iljitsch van Beijnum' <iljitsch@muada.com>, 'Cameron Byrne' <cambyrne@yahoo.com>
References: <664224.75848.qm@web32005.mail.mud.yahoo.com> <2F9A210A-CD37-45CD-860E-32837272889C@muada.com>
Date: Wed, 15 Jul 2009 12:33:53 -0700
Message-ID: <128301ca0583$2ff37720$c4f0200a@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
In-Reply-To: <2F9A210A-CD37-45CD-860E-32837272889C@muada.com>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
Thread-Index: AcoFaNkRH49oHH5lRJKYbApO3CpZbgAGfnZw
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=2445; t=1247686433; x=1248550433; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing@cisco.com; z=From:=20=22Dan=20Wing=22=20<dwing@cisco.com> |Subject:=20RE=3A=20[BEHAVE]=20Comments=20todraft-ietf-beha ve-v6v4-xlate-stateful-01.txt |Sender:=20; bh=cZtNGP5n30tSePMY4BUciF4yHnAcr8QGV4QPGjG1tFk=; b=tWmuMT8Mvz4IigPa1k2VWpbyemZC+6tUk1JaKhv8QoDCI6V34mLNaQdq5P /nsYhPe1nfJt2Fl4VGQjLIMnRya1fC8p5UFXJCM4dpxmIgGe7Wm4kVcO3qwX E7Iqd19HNw;
Authentication-Results: sj-dkim-3; header.From=dwing@cisco.com; dkim=pass ( sig from cisco.com/sjdkim3002 verified; );
Cc: 'Behave WG' <behave@ietf.org>
Subject: Re: [BEHAVE] Comments todraft-ietf-behave-v6v4-xlate-stateful-01.txt
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jul 2009 19:34:31 -0000

> -----Original Message-----
> From: behave-bounces@ietf.org 
> [mailto:behave-bounces@ietf.org] On Behalf Of Iljitsch van Beijnum
> Sent: Wednesday, July 15, 2009 9:23 AM
> To: Cameron Byrne
> Cc: Behave WG
> Subject: Re: [BEHAVE] Comments 
> todraft-ietf-behave-v6v4-xlate-stateful-01.txt
> 
> On 15 jul 2009, at 18:05, Cameron Byrne wrote:
> 
> > The attacker would have to guess the IPv4 NAT64 pool address  
> > (assume /24) and the source port that the NAT64 sources the  
> > connection from, right? So, the attacker would need to brute force  
> > generate the destination part of the packet, which would 
> require 15  
> > million permutations of packets (255 addrsses in the NAT64 pool *  
> > 60,000 ephemeral ports), right?
> 
> Not exactly. I would rather look at the situation where the 
> addresses  
> at both ends are known. The port number on one end is also known.
> 
> So if I'm an attacker I could just cycle through all the source port  
> numbers get the NAT64 to accept a fake RST that seemingly 
> comes from www.example.com 
> . The NAT64 will now reduce its timeout for all the sessions 
> towards www.example.com 
>   to 4 minutes.
> 
> However, so far there is no real damage except for sessions that  
> remain idle for the next 4 minutes. To really reset the session the  
> RST would have to be in-window for the IPv6 host.

See also
http://tools.ietf.org/html/draft-gont-tcp-security-00#section-3.6.7
which recommends host TCP stacks not abort the connection if the
RST is merely in the receive window, but only abort the connection
if the RSTs is exactly the expected sequence number.

I don't know how widely that recommendation is implemented.  
Fernando would know, CC'd.

-d

> Let's assume a  
> window scale option of 3 and the maximum window, that's 500k 
> out of 4G  
> = 8000 packets needed to get through. Times our earlier 64k 
> packets =  
> 5M packets. At gigabit speeds, that's certainly a doable attack.
> 
> However, even at gigabit speeds this takes a few seconds. By that  
> time, most HTTP transactions are already over. It would be a 
> good way  
> to kill IMAP and IM sessions, but I believe those are generally  
> automatically reestablished. So I'm not too worried about this attack.
> _______________________________________________
> Behave mailing list
> Behave@ietf.org
> https://www.ietf.org/mailman/listinfo/behave

v2.23.0 | Report a Bug | By Email