Re: [BEHAVE] Very late query on stateful NAT64
Brian E Carpenter <brian.e.carpenter@gmail.com> Fri, 22 October 2010 01:23 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3E89A3A67DB for <behave@core3.amsl.com>; Thu, 21 Oct 2010 18:23:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.58
X-Spam-Level:
X-Spam-Status: No, score=-102.58 tagged_above=-999 required=5 tests=[AWL=0.019, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id peaeHJkFZ8zi for <behave@core3.amsl.com>; Thu, 21 Oct 2010 18:23:52 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id 44CFB3A6359 for <behave@ietf.org>; Thu, 21 Oct 2010 18:23:52 -0700 (PDT)
Received: by iwn5 with SMTP id 5so326553iwn.31 for <behave@ietf.org>; Thu, 21 Oct 2010 18:25:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :organization:user-agent:mime-version:to:cc:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=YY08FTDfuywQchgpbzt/d26rY4nfEqCypgOGuDGcoKw=; b=dRDBuZPCSUuXttw1vhH3GIVjagwqEDP1qb93/VoUk4zyZNm4BIu311vpz60S2AJIWk mQOONYkkt3Zlqnp1mATJtmiNlE5R7GIVuQQAAvbFncjXtHOCrlrlVm/UFlog96ausHQS cqbTVM33xot6oPS80JnTn2BpKE1CpnHIBOOg0=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; b=GgWTqwdcnyLjtz9nQgIxcOhllQ3Urdbz7U190FJPndZQ4xfxAuwOUjmta6ieEuV8xL v0YlgQLp+CUvy/vIYzf6OTM37D9eAUiUY954P3s8aZ/PA5VB1rh5xBmsb4fyOzO6O0kI UGAlnaq33tRiXWXNv6AWMYan9Qxqeqf2SCpGY=
Received: by 10.231.166.205 with SMTP id n13mr1790506iby.112.1287710728749; Thu, 21 Oct 2010 18:25:28 -0700 (PDT)
Received: from [130.216.38.124] (stf-brian.sfac.auckland.ac.nz [130.216.38.124]) by mx.google.com with ESMTPS id q3sm898714vcr.3.2010.10.21.18.25.26 (version=SSLv3 cipher=RC4-MD5); Thu, 21 Oct 2010 18:25:28 -0700 (PDT)
Message-ID: <4CC0E80D.8060800@gmail.com>
Date: Fri, 22 Oct 2010 14:25:33 +1300
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Dave Thaler <dthaler@microsoft.com>
References: <4CC0C319.1040400@gmail.com> <9B57C850BB53634CACEC56EF4853FF6534328FB8@TK5EX14MBXW601.wingroup.windeploy.ntdev.microsoft.com>
In-Reply-To: <9B57C850BB53634CACEC56EF4853FF6534328FB8@TK5EX14MBXW601.wingroup.windeploy.ntdev.microsoft.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: Se-young Yu <syu051@aucklanduni.ac.nz>, "behave@ietf.org" <behave@ietf.org>
Subject: Re: [BEHAVE] Very late query on stateful NAT64
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Oct 2010 01:23:53 -0000
On 2010-10-22 13:38, Dave Thaler wrote: >> -----Original Message----- >> From: behave-bounces@ietf.org [mailto:behave-bounces@ietf.org] On Behalf >> Of Brian E Carpenter >> Sent: Thursday, October 21, 2010 3:48 PM >> To: behave@ietf.org >> Cc: Se-young Yu >> Subject: [BEHAVE] Very late query on stateful NAT64 >> >> Hi, >> >> The security considerations of the RFC-to-be draft-ietf-behave-v6v4-xlate- >> stateful-12 >> include this: >> >>> Another consideration related to NAT64 resource depletion refers to >>> the preservation of binding state. Attackers may try to keep a >>> binding state alive forever by sending periodic packets that refresh >>> the state. In order to allow the NAT64 to defend against such >>> attacks, the NAT64 MAY choose not to extend the session entry >>> lifetime for a specific entry upon the reception of packets for that >>> entry through the external interface. >> How does the NAT64 distinguish between malicious keep-alives and genuine >> packets of a one-way UDP flow of some kind? We don't see how this can be >> implemented. > > My understanding is that this is no different from stateful NAT44... > Many NAT44s require packets in the outbound direction in order to keep > the mapping alive. So you can have a one-way UDP flow in the outbound > direction just fine. But if you want a one-way UDP flow in the inbound direction, > this will time out and break unless you periodically send something in the > outbound direction. Not all NATs do this, but some do. Hence the MAY. Hmmph. MAY implies that this is reasonable behaviour. I'd have preferred to see this phrased as a warning about possible misbehaviour by NATs, rather than as a permitted "security" mechanism. Well, it isn't worth calling the document back from the RFC Editor for this, but I would have argued the point if I'd been aware of it earlier. This is yet another reason why people are misusing HTTP to carry real time streaming data, I suppose: NATs might arbitrarily interrupt legitimate UDP streams. Brian
- [BEHAVE] Very late query on stateful NAT64 Brian E Carpenter
- Re: [BEHAVE] Very late query on stateful NAT64 Dave Thaler
- Re: [BEHAVE] Very late query on stateful NAT64 Brian E Carpenter
- Re: [BEHAVE] Very late query on stateful NAT64 Reinaldo Penno
- Re: [BEHAVE] Very late query on stateful NAT64 Brian E Carpenter
- Re: [BEHAVE] Very late query on stateful NAT64 Reinaldo Penno
- Re: [BEHAVE] Very late query on stateful NAT64 Dave Thaler
- Re: [BEHAVE] Very late query on stateful NAT64 Dan Wing
- Re: [BEHAVE] Very late query on stateful NAT64 Dan Wing
- Re: [BEHAVE] Very late query on stateful NAT64 marcelo bagnulo braun
- Re: [BEHAVE] Very late query on stateful NAT64 Dave Thaler
- Re: [BEHAVE] Very late query on stateful NAT64 Brian E Carpenter