IETF Logo Mail Archive

Re: [BEHAVE] Very late query on stateful NAT64

Brian E Carpenter <brian.e.carpenter@gmail.com> Fri, 22 October 2010 01:23 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3E89A3A67DB for <behave@core3.amsl.com>; Thu, 21 Oct 2010 18:23:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.58
X-Spam-Level:
X-Spam-Status: No, score=-102.58 tagged_above=-999 required=5 tests=[AWL=0.019, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id peaeHJkFZ8zi for <behave@core3.amsl.com>; Thu, 21 Oct 2010 18:23:52 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id 44CFB3A6359 for <behave@ietf.org>; Thu, 21 Oct 2010 18:23:52 -0700 (PDT)
Received: by iwn5 with SMTP id 5so326553iwn.31 for <behave@ietf.org>; Thu, 21 Oct 2010 18:25:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :organization:user-agent:mime-version:to:cc:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=YY08FTDfuywQchgpbzt/d26rY4nfEqCypgOGuDGcoKw=; b=dRDBuZPCSUuXttw1vhH3GIVjagwqEDP1qb93/VoUk4zyZNm4BIu311vpz60S2AJIWk mQOONYkkt3Zlqnp1mATJtmiNlE5R7GIVuQQAAvbFncjXtHOCrlrlVm/UFlog96ausHQS cqbTVM33xot6oPS80JnTn2BpKE1CpnHIBOOg0=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; b=GgWTqwdcnyLjtz9nQgIxcOhllQ3Urdbz7U190FJPndZQ4xfxAuwOUjmta6ieEuV8xL v0YlgQLp+CUvy/vIYzf6OTM37D9eAUiUY954P3s8aZ/PA5VB1rh5xBmsb4fyOzO6O0kI UGAlnaq33tRiXWXNv6AWMYan9Qxqeqf2SCpGY=
Received: by 10.231.166.205 with SMTP id n13mr1790506iby.112.1287710728749; Thu, 21 Oct 2010 18:25:28 -0700 (PDT)
Received: from [130.216.38.124] (stf-brian.sfac.auckland.ac.nz [130.216.38.124]) by mx.google.com with ESMTPS id q3sm898714vcr.3.2010.10.21.18.25.26 (version=SSLv3 cipher=RC4-MD5); Thu, 21 Oct 2010 18:25:28 -0700 (PDT)
Message-ID: <4CC0E80D.8060800@gmail.com>
Date: Fri, 22 Oct 2010 14:25:33 +1300
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Dave Thaler <dthaler@microsoft.com>
References: <4CC0C319.1040400@gmail.com> <9B57C850BB53634CACEC56EF4853FF6534328FB8@TK5EX14MBXW601.wingroup.windeploy.ntdev.microsoft.com>
In-Reply-To: <9B57C850BB53634CACEC56EF4853FF6534328FB8@TK5EX14MBXW601.wingroup.windeploy.ntdev.microsoft.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: Se-young Yu <syu051@aucklanduni.ac.nz>, "behave@ietf.org" <behave@ietf.org>
Subject: Re: [BEHAVE] Very late query on stateful NAT64
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Oct 2010 01:23:53 -0000

On 2010-10-22 13:38, Dave Thaler wrote:
>> -----Original Message-----
>> From: behave-bounces@ietf.org [mailto:behave-bounces@ietf.org] On Behalf
>> Of Brian E Carpenter
>> Sent: Thursday, October 21, 2010 3:48 PM
>> To: behave@ietf.org
>> Cc: Se-young Yu
>> Subject: [BEHAVE] Very late query on stateful NAT64
>>
>> Hi,
>>
>> The security considerations of the RFC-to-be draft-ietf-behave-v6v4-xlate-
>> stateful-12
>> include this:
>>
>>>    Another consideration related to NAT64 resource depletion refers to
>>>    the preservation of binding state.  Attackers may try to keep a
>>>    binding state alive forever by sending periodic packets that refresh
>>>    the state.  In order to allow the NAT64 to defend against such
>>>    attacks, the NAT64 MAY choose not to extend the session entry
>>>    lifetime for a specific entry upon the reception of packets for that
>>>    entry through the external interface.
>> How does the NAT64 distinguish between malicious keep-alives and genuine
>> packets of a one-way UDP flow of some kind? We don't see how this can be
>> implemented.
> 
> My understanding is that this is no different from stateful NAT44...
> Many NAT44s require packets in the outbound direction in order to keep
> the mapping alive.  So you can have a one-way UDP flow in the outbound
> direction just fine.  But if you want a one-way UDP flow in the inbound direction,
> this will time out and break unless you periodically send something in the
> outbound direction.   Not all NATs do this, but some do.   Hence the MAY.

Hmmph. MAY implies that this is reasonable behaviour. I'd have preferred to
see this phrased as a warning about possible misbehaviour by NATs, rather
than as a permitted "security" mechanism. Well, it isn't worth calling
the document back from the RFC Editor for this, but I would have
argued the point if I'd been aware of it earlier.

This is yet another reason why people are misusing HTTP to carry real time
streaming data, I suppose: NATs might arbitrarily interrupt legitimate
UDP streams.

   Brian

v2.23.0 | Report a Bug | By Email