IETF Logo Mail Archive

Re: RE : [midcom] More on new work item

Jonathan Rosenberg <jdrosen@dynamicsoft.com> Fri, 30 April 2004 16:22 UTC

Received: from optimus.ietf.org (optimus.ietf.org [132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA12433 for <midcom-archive@odin.ietf.org>; Fri, 30 Apr 2004 12:22:59 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BJaTF-0008OZ-7i for midcom-archive@odin.ietf.org; Fri, 30 Apr 2004 12:02:37 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i3UG2bn9032272 for midcom-archive@odin.ietf.org; Fri, 30 Apr 2004 12:02:37 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BJaLy-0007Az-Mt; Fri, 30 Apr 2004 11:55:06 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BJaCR-0005VP-At for midcom@optimus.ietf.org; Fri, 30 Apr 2004 11:45:15 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA10171 for <midcom@ietf.org>; Fri, 30 Apr 2004 11:45:12 -0400 (EDT)
Received: from ietf-mx.ietf.org ([132.151.6.1] helo=ietf-mx) by ietf-mx with esmtp (Exim 4.32) id 1BJaCQ-00032e-5u for midcom@ietf.org; Fri, 30 Apr 2004 11:45:14 -0400
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1BJaBW-0002zp-00 for midcom@ietf.org; Fri, 30 Apr 2004 11:44:19 -0400
Received: from [63.113.44.69] (helo=mail3.dynamicsoft.com) by ietf-mx with esmtp (Exim 4.12) id 1BJaAz-0002w9-00 for midcom@ietf.org; Fri, 30 Apr 2004 11:43:45 -0400
Received: from dynamicsoft.com ([63.113.46.116]) by mail3.dynamicsoft.com (8.12.8/8.12.1) with ESMTP id i3UFgkus021582; Fri, 30 Apr 2004 11:42:47 -0400 (EDT)
Message-ID: <409273DB.3000007@dynamicsoft.com>
Date: Fri, 30 Apr 2004 11:42:19 -0400
From: Jonathan Rosenberg <jdrosen@dynamicsoft.com>
Organization: dynamicsoft
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Joel Tran <joel.tran@USherbrooke.ca>
CC: 'Melinda Shore' <mshore@cisco.com>, midcom@ietf.org
Subject: Re: RE : [midcom] More on new work item
References: <000601c42dfb$648eae10$b248d284@kamel> <40917970.4050604@dynamicsoft.com> <1083335900.409264dc864e3@www.usherbrooke.ca>
In-Reply-To: <1083335900.409264dc864e3@www.usherbrooke.ca>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.0 required=5.0 tests=AWL autolearn=no version=2.60
Content-Transfer-Encoding: 7bit
Sender: midcom-admin@ietf.org
Errors-To: midcom-admin@ietf.org
X-BeenThere: midcom@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/midcom>, <mailto:midcom-request@ietf.org?subject=unsubscribe>
List-Id: <midcom.ietf.org>
List-Post: <mailto:midcom@ietf.org>
List-Help: <mailto:midcom-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/midcom>, <mailto:midcom-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit


Joel Tran wrote:


>>There is a serious trust issue here. Is the ISP really going to issue a 
>>username and password to every user of their network, entrusting them 
>>with permissions to use midcom to manage port bindings on their network 
>>wide NAT?? I certainly hope not. Thats an open invitation for 
>>substantial denial of service attacks.
>>
>>-Jonathan R.
> 
> 
> Correct me if I'm wrong. I don't think it is an open invitation for DOS attack 
> if there is a proper Access Control List/Policy Rule in the Midcom device which 
> may limit the use of the port bindings for each user. 

I don't think this can work easily.

How would the ACL be structured? Presumably, you'd want to say something 
like, "user joe is allowed to open up pinholes directed to his currently 
allocated IP address". There are several major problems here:

* if there is any other NAT intervening the user and the ISP's nat (very 
common here in the US at least, due to residential NAT devices like 
those made by linksys), this of course won't help even if you work out 
the ACL issues

* assuming no other nats between the user and the ISP NAT, there is a 
correlation that needs to be made somewhere between the 
username/password and the IP address thats allocated to them. This would 
require some really convoluted coupling between DHCP (which can tell you 
the MAC/IP binding) and customer provisioning systems (which *might* be 
able to tell you the MAC used by a customers cable modem) and the ISP 
firewall, to make sure that a user can only make changes for their own 
IP. This seems pretty complicated to me.

* Its also not clear to me that there aren't security holes in the whole 
thing that might enable someone to learn the passwords and usernames 
needed to control bindings for other IP addresses.

* I dont know whether the MIBs include sufficient ACLs for the above to 
work (have not looked)

IMHO, the topological issues with midcom, which we have long been aware 
of, combined with the CONTROL nature of the relationship between the 
agent and the client, really point to applicability limited to a trusted 
  device that controls a neighboring firewall or NAT, thus useful for 
carrier edge or large enterprise edge applications.

-Jonathan R.


-- 
Jonathan D. Rosenberg, Ph.D.                600 Lanidex Plaza
Chief Technology Officer                    Parsippany, NJ 07054-2711
dynamicsoft
jdrosen@dynamicsoft.com                     FAX:   (973) 952-5050
http://www.jdrosen.net                      PHONE: (973) 952-5000
http://www.dynamicsoft.com

_______________________________________________
midcom mailing list
midcom@ietf.org
https://www1.ietf.org/mailman/listinfo/midcom

v2.23.0 | Report a Bug | By Email