IETF Logo Mail Archive

Re: [BEHAVE] Very late query on stateful NAT64

Dave Thaler <dthaler@microsoft.com> Fri, 22 October 2010 15:29 UTC

Return-Path: <dthaler@microsoft.com>
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4C7893A6817 for <behave@core3.amsl.com>; Fri, 22 Oct 2010 08:29:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.465
X-Spam-Level:
X-Spam-Status: No, score=-110.465 tagged_above=-999 required=5 tests=[AWL=0.134, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vxv7fDNtUQ7L for <behave@core3.amsl.com>; Fri, 22 Oct 2010 08:29:57 -0700 (PDT)
Received: from smtp.microsoft.com (smtp.microsoft.com [131.107.115.215]) by core3.amsl.com (Postfix) with ESMTP id B7B8B3A66B4 for <behave@ietf.org>; Fri, 22 Oct 2010 08:29:57 -0700 (PDT)
Received: from TK5EX14HUBC102.redmond.corp.microsoft.com (157.54.7.154) by TK5-EXGWY-E802.partners.extranet.microsoft.com (10.251.56.168) with Microsoft SMTP Server (TLS) id 8.2.176.0; Fri, 22 Oct 2010 08:31:29 -0700
Received: from TK5EX14MLTW651.wingroup.windeploy.ntdev.microsoft.com (157.54.71.39) by TK5EX14HUBC102.redmond.corp.microsoft.com (157.54.7.154) with Microsoft SMTP Server (TLS) id 14.1.255.3; Fri, 22 Oct 2010 08:31:29 -0700
Received: from TK5EX14MBXW601.wingroup.windeploy.ntdev.microsoft.com ([169.254.1.172]) by TK5EX14MLTW651.wingroup.windeploy.ntdev.microsoft.com ([157.54.71.39]) with mapi; Fri, 22 Oct 2010 08:31:29 -0700
From: Dave Thaler <dthaler@microsoft.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Thread-Topic: [BEHAVE] Very late query on stateful NAT64
Thread-Index: AQHLcXIWiMsNFaW94EKhTGeKB100qpNMH3gQgACDB4CAAHYQkA==
Date: Fri, 22 Oct 2010 15:31:21 +0000
Message-ID: <9B57C850BB53634CACEC56EF4853FF6534329CAA@TK5EX14MBXW601.wingroup.windeploy.ntdev.microsoft.com>
References: <4CC0C319.1040400@gmail.com> <9B57C850BB53634CACEC56EF4853FF6534328FB8@TK5EX14MBXW601.wingroup.windeploy.ntdev.microsoft.com> <4CC0E80D.8060800@gmail.com>
In-Reply-To: <4CC0E80D.8060800@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Cc: Se-young Yu <syu051@aucklanduni.ac.nz>, "behave@ietf.org" <behave@ietf.org>
Subject: Re: [BEHAVE] Very late query on stateful NAT64
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Oct 2010 15:29:59 -0000

> -----Original Message-----
> From: Brian E Carpenter [mailto:brian.e.carpenter@gmail.com]
> Sent: Thursday, October 21, 2010 6:26 PM
> To: Dave Thaler
> Cc: behave@ietf.org; Se-young Yu
> Subject: Re: [BEHAVE] Very late query on stateful NAT64
> 
> On 2010-10-22 13:38, Dave Thaler wrote:
> >> -----Original Message-----
> >> From: behave-bounces@ietf.org [mailto:behave-bounces@ietf.org] On
> >> Behalf Of Brian E Carpenter
> >> Sent: Thursday, October 21, 2010 3:48 PM
> >> To: behave@ietf.org
> >> Cc: Se-young Yu
> >> Subject: [BEHAVE] Very late query on stateful NAT64
> >>
> >> Hi,
> >>
> >> The security considerations of the RFC-to-be
> >> draft-ietf-behave-v6v4-xlate-
> >> stateful-12
> >> include this:
> >>
> >>>    Another consideration related to NAT64 resource depletion refers to
> >>>    the preservation of binding state.  Attackers may try to keep a
> >>>    binding state alive forever by sending periodic packets that refresh
> >>>    the state.  In order to allow the NAT64 to defend against such
> >>>    attacks, the NAT64 MAY choose not to extend the session entry
> >>>    lifetime for a specific entry upon the reception of packets for that
> >>>    entry through the external interface.
> >> How does the NAT64 distinguish between malicious keep-alives and
> >> genuine packets of a one-way UDP flow of some kind? We don't see how
> >> this can be implemented.
> >
> > My understanding is that this is no different from stateful NAT44...
> > Many NAT44s require packets in the outbound direction in order to keep
> > the mapping alive.  So you can have a one-way UDP flow in the outbound
> > direction just fine.  But if you want a one-way UDP flow in the
> > inbound direction, this will time out and break unless you periodically send
> something in the
> > outbound direction.   Not all NATs do this, but some do.   Hence the MAY.
> 
> Hmmph. MAY implies that this is reasonable behaviour. I'd have preferred to see
> this phrased as a warning about possible misbehaviour by NATs, rather than as a
> permitted "security" mechanism. Well, it isn't worth calling the document back
> from the RFC Editor for this, but I would have argued the point if I'd been aware
> of it earlier.

I think you're probably right.

Some related data (not quite the same thing) is at
http://www.ietf.org/proceedings/78/slides/behave-8.pdf
slide 8.  This shows the timeout that the NATs surveyed use in approximately
the scenario you mention.  The fact that the test used increasing delay implies
that they might all indeed refresh the state (i.e. not misbehave as you put it), but
since that wasn't tested directly it's hard to say. 

Maybe we can get the Nokia Research Center guys to run this test with the NATs
they have?

-Dave

v2.23.0 | Report a Bug | By Email