IETF Logo Mail Archive

Re: [BEHAVE] Very late query on stateful NAT64

Reinaldo Penno <rpenno@juniper.net> Fri, 22 October 2010 03:42 UTC

Return-Path: <rpenno@juniper.net>
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3C7F93A672E for <behave@core3.amsl.com>; Thu, 21 Oct 2010 20:42:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.583
X-Spam-Level:
X-Spam-Status: No, score=-6.583 tagged_above=-999 required=5 tests=[AWL=0.016, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yqa+FwPxxJwg for <behave@core3.amsl.com>; Thu, 21 Oct 2010 20:42:22 -0700 (PDT)
Received: from exprod7og116.obsmtp.com (exprod7og116.obsmtp.com [64.18.2.219]) by core3.amsl.com (Postfix) with ESMTP id 508C33A6826 for <behave@ietf.org>; Thu, 21 Oct 2010 20:42:20 -0700 (PDT)
Received: from source ([66.129.224.36]) (using TLSv1) by exprod7ob116.postini.com ([64.18.6.12]) with SMTP ID DSNKTMEIe3T2wLmSMCmbnUP7g7JJIf23PoxE@postini.com; Thu, 21 Oct 2010 20:43:59 PDT
Received: from p-emfe02-wf.jnpr.net (172.28.145.25) by P-EMHUB02-HQ.jnpr.net (172.24.192.36) with Microsoft SMTP Server (TLS) id 8.2.254.0; Thu, 21 Oct 2010 20:41:26 -0700
Received: from EMBX01-WF.jnpr.net ([fe80::1914:3299:33d9:e43b]) by p-emfe02-wf.jnpr.net ([fe80::c126:c633:d2dc:8090%11]) with mapi; Thu, 21 Oct 2010 23:41:25 -0400
From: Reinaldo Penno <rpenno@juniper.net>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Date: Thu, 21 Oct 2010 23:41:22 -0400
Thread-Topic: [BEHAVE] Very late query on stateful NAT64
Thread-Index: ActxlfSuktQ7gma3SyS/6aIAvuVRgQABQnge
Message-ID: <C8E655F2.2D927%rpenno@juniper.net>
In-Reply-To: <4CC0FF64.4020100@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-Entourage/13.6.0.100712
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Se-young Yu <syu051@aucklanduni.ac.nz>, "behave@ietf.org" <behave@ietf.org>, Dave Thaler <dthaler@microsoft.com>
Subject: Re: [BEHAVE] Very late query on stateful NAT64
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Oct 2010 03:42:24 -0000

On 10/21/10 8:05 PM, "Brian E Carpenter" <brian.e.carpenter@gmail.com>
wrote:

> On 2010-10-22 15:55, Reinaldo Penno wrote:
>> Hello ,
>> 
>> Comments inline.
>> 
>> 
>> On 10/21/10 6:25 PM, "Brian E Carpenter" <brian.e.carpenter@gmail.com>
>> wrote:
>> 
>>> On 2010-10-22 13:38, Dave Thaler wrote:
>>>>> -----Original Message-----
>>>>> From: behave-bounces@ietf.org [mailto:behave-bounces@ietf.org] On Behalf
>>>>> Of Brian E Carpenter
>>>>> Sent: Thursday, October 21, 2010 3:48 PM
>>>>> To: behave@ietf.org
>>>>> Cc: Se-young Yu
>>>>> Subject: [BEHAVE] Very late query on stateful NAT64
>>>>> 
>>>>> Hi,
>>>>> 
>>>>> The security considerations of the RFC-to-be draft-ietf-behave-v6v4-xlate-
>>>>> stateful-12
>>>>> include this:
>>>>> 
>>>>>>    Another consideration related to NAT64 resource depletion refers to
>>>>>>    the preservation of binding state.  Attackers may try to keep a
>>>>>>    binding state alive forever by sending periodic packets that refresh
>>>>>>    the state.  In order to allow the NAT64 to defend against such
>>>>>>    attacks, the NAT64 MAY choose not to extend the session entry
>>>>>>    lifetime for a specific entry upon the reception of packets for that
>>>>>>    entry through the external interface.
>>>>> How does the NAT64 distinguish between malicious keep-alives and genuine
>>>>> packets of a one-way UDP flow of some kind? We don't see how this can be
>>>>> implemented.
>>>> My understanding is that this is no different from stateful NAT44...
>>>> Many NAT44s require packets in the outbound direction in order to keep
>>>> the mapping alive.  So you can have a one-way UDP flow in the outbound
>>>> direction just fine.  But if you want a one-way UDP flow in the inbound
>>>> direction,
>> 
>> How can an unidirectional inbound flow go through a NAPT?
> 
> I would assume there were one or two outbound packets to start
> the session.
> 
>> 
>>>> this will time out and break unless you periodically send something in the
>>>> outbound direction.   Not all NATs do this, but some do.   Hence the MAY.
>>> Hmmph. MAY implies that this is reasonable behaviour. I'd have preferred to
>>> see this phrased as a warning about possible misbehaviour by NATs, rather
>>> than as a permitted "security" mechanism. Well, it isn't worth calling
>>> the document back from the RFC Editor for this, but I would have
>>> argued the point if I'd been aware of it earlier.
>> 
>> Such discussion is present in RFC4787 as well - REQ-6.
>> 
>>> This is yet another reason why people are misusing HTTP to carry real time
>>> streaming data, I suppose: NATs might arbitrarily interrupt legitimate
>>> UDP streams.
>> 
>> I disagree. It is because of RTSP ALGs, ubiquity of HTTP clients and APIs in
>> every device, from iPhone to large desktop, availability of HTTP streaming
>> servers, authentication, etc.
> 
> Well, it all started because HTTP gets through NATs and firewalls.

Even if we assume this point, RTSP data sessions were problematic through
NATs not because inbound flows were timed out, but because they could not
get through at all.

RTSP ALGs solve these issues, but bring its own.

> The things you mentioned came afterwards.

I think this is a good discussion for another time.

> 
>    Brian

v2.23.0 | Report a Bug | By Email