IETF Logo Mail Archive

[BEHAVE] Very late query on stateful NAT64

Brian E Carpenter <brian.e.carpenter@gmail.com> Thu, 21 October 2010 22:46 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 554D73A672F for <behave@core3.amsl.com>; Thu, 21 Oct 2010 15:46:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.58
X-Spam-Level:
X-Spam-Status: No, score=-102.58 tagged_above=-999 required=5 tests=[AWL=0.019, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3FaUngeY12FF for <behave@core3.amsl.com>; Thu, 21 Oct 2010 15:46:23 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id 4D4113A6452 for <behave@ietf.org>; Thu, 21 Oct 2010 15:46:23 -0700 (PDT)
Received: by iwn5 with SMTP id 5so157315iwn.31 for <behave@ietf.org>; Thu, 21 Oct 2010 15:47:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :organization:user-agent:mime-version:to:cc:subject:content-type :content-transfer-encoding; bh=pwFMkx7O4+GzE9AgVpHGanakEUSE+f2JI1xvTgBkJEs=; b=JgH9wLsTvSie2IAn/cruskcD1JlEntSAEtb+sPlxcaMMXsrzSD4dSKjAMDvIKbAGVL ZneXN/qG+F1btz2pYgcnb3rqf+pkjMBuNpkYGnvLyqlGLt1B4PjmU2fBWd6bTeQHioj/ R7HJB0CmyFGs0XpavcUZPXCLBymD0WR9NgoIU=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:content-type:content-transfer-encoding; b=ceCow3l/FpltoMcdse49J+Nz3bmsImhwO6S6mHLky4Nh4BbWJSaoq3VOhAzKi4lbB8 yD13w6ntBixWGTy/5+dm7JdgUOQD7++C2MdfEDUf80aVfzNQAZz6T7uRRgLsBqm13MP0 JP/OnwlL9aCLL3iiLxLoj9A2ONhd7dO/B49Hw=
Received: by 10.231.19.136 with SMTP id a8mr1672336ibb.86.1287701279656; Thu, 21 Oct 2010 15:47:59 -0700 (PDT)
Received: from [130.216.38.124] (stf-brian.sfac.auckland.ac.nz [130.216.38.124]) by mx.google.com with ESMTPS id p30sm826193vcf.2.2010.10.21.15.47.57 (version=SSLv3 cipher=RC4-MD5); Thu, 21 Oct 2010 15:47:59 -0700 (PDT)
Message-ID: <4CC0C319.1040400@gmail.com>
Date: Fri, 22 Oct 2010 11:47:53 +1300
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: behave@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: Se-young Yu <syu051@aucklanduni.ac.nz>
Subject: [BEHAVE] Very late query on stateful NAT64
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Oct 2010 22:46:24 -0000

Hi,

The security considerations of the RFC-to-be draft-ietf-behave-v6v4-xlate-stateful-12
include this:

>    Another consideration related to NAT64 resource depletion refers to
>    the preservation of binding state.  Attackers may try to keep a
>    binding state alive forever by sending periodic packets that refresh
>    the state.  In order to allow the NAT64 to defend against such
>    attacks, the NAT64 MAY choose not to extend the session entry
>    lifetime for a specific entry upon the reception of packets for that
>    entry through the external interface. 

How does the NAT64 distinguish between malicious keep-alives
and genuine packets of a one-way UDP flow of some kind? We don't
see how this can be implemented.

Regards
   Brian Carpenter + Se-young Yu

v2.23.0 | Report a Bug | By Email