Re: RE : [midcom] More on new work item
Jonathan Rosenberg <jdrosen@dynamicsoft.com> Fri, 30 April 2004 16:22 UTC
Received: from optimus.ietf.org (optimus.ietf.org [132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA12433 for <midcom-archive@odin.ietf.org>; Fri, 30 Apr 2004 12:22:59 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BJaTF-0008OZ-7i for midcom-archive@odin.ietf.org; Fri, 30 Apr 2004 12:02:37 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i3UG2bn9032272 for midcom-archive@odin.ietf.org; Fri, 30 Apr 2004 12:02:37 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BJaLy-0007Az-Mt; Fri, 30 Apr 2004 11:55:06 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BJaCR-0005VP-At for midcom@optimus.ietf.org; Fri, 30 Apr 2004 11:45:15 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA10171 for <midcom@ietf.org>; Fri, 30 Apr 2004 11:45:12 -0400 (EDT)
Received: from ietf-mx.ietf.org ([132.151.6.1] helo=ietf-mx) by ietf-mx with esmtp (Exim 4.32) id 1BJaCQ-00032e-5u for midcom@ietf.org; Fri, 30 Apr 2004 11:45:14 -0400
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1BJaBW-0002zp-00 for midcom@ietf.org; Fri, 30 Apr 2004 11:44:19 -0400
Received: from [63.113.44.69] (helo=mail3.dynamicsoft.com) by ietf-mx with esmtp (Exim 4.12) id 1BJaAz-0002w9-00 for midcom@ietf.org; Fri, 30 Apr 2004 11:43:45 -0400
Received: from dynamicsoft.com ([63.113.46.116]) by mail3.dynamicsoft.com (8.12.8/8.12.1) with ESMTP id i3UFgkus021582; Fri, 30 Apr 2004 11:42:47 -0400 (EDT)
Message-ID: <409273DB.3000007@dynamicsoft.com>
Date: Fri, 30 Apr 2004 11:42:19 -0400
From: Jonathan Rosenberg <jdrosen@dynamicsoft.com>
Organization: dynamicsoft
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Joel Tran <joel.tran@USherbrooke.ca>
CC: 'Melinda Shore' <mshore@cisco.com>, midcom@ietf.org
Subject: Re: RE : [midcom] More on new work item
References: <000601c42dfb$648eae10$b248d284@kamel> <40917970.4050604@dynamicsoft.com> <1083335900.409264dc864e3@www.usherbrooke.ca>
In-Reply-To: <1083335900.409264dc864e3@www.usherbrooke.ca>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.0 required=5.0 tests=AWL autolearn=no version=2.60
Content-Transfer-Encoding: 7bit
Sender: midcom-admin@ietf.org
Errors-To: midcom-admin@ietf.org
X-BeenThere: midcom@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/midcom>, <mailto:midcom-request@ietf.org?subject=unsubscribe>
List-Id: <midcom.ietf.org>
List-Post: <mailto:midcom@ietf.org>
List-Help: <mailto:midcom-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/midcom>, <mailto:midcom-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Joel Tran wrote: >>There is a serious trust issue here. Is the ISP really going to issue a >>username and password to every user of their network, entrusting them >>with permissions to use midcom to manage port bindings on their network >>wide NAT?? I certainly hope not. Thats an open invitation for >>substantial denial of service attacks. >> >>-Jonathan R. > > > Correct me if I'm wrong. I don't think it is an open invitation for DOS attack > if there is a proper Access Control List/Policy Rule in the Midcom device which > may limit the use of the port bindings for each user. I don't think this can work easily. How would the ACL be structured? Presumably, you'd want to say something like, "user joe is allowed to open up pinholes directed to his currently allocated IP address". There are several major problems here: * if there is any other NAT intervening the user and the ISP's nat (very common here in the US at least, due to residential NAT devices like those made by linksys), this of course won't help even if you work out the ACL issues * assuming no other nats between the user and the ISP NAT, there is a correlation that needs to be made somewhere between the username/password and the IP address thats allocated to them. This would require some really convoluted coupling between DHCP (which can tell you the MAC/IP binding) and customer provisioning systems (which *might* be able to tell you the MAC used by a customers cable modem) and the ISP firewall, to make sure that a user can only make changes for their own IP. This seems pretty complicated to me. * Its also not clear to me that there aren't security holes in the whole thing that might enable someone to learn the passwords and usernames needed to control bindings for other IP addresses. * I dont know whether the MIBs include sufficient ACLs for the above to work (have not looked) IMHO, the topological issues with midcom, which we have long been aware of, combined with the CONTROL nature of the relationship between the agent and the client, really point to applicability limited to a trusted device that controls a neighboring firewall or NAT, thus useful for carrier edge or large enterprise edge applications. -Jonathan R. -- Jonathan D. Rosenberg, Ph.D. 600 Lanidex Plaza Chief Technology Officer Parsippany, NJ 07054-2711 dynamicsoft jdrosen@dynamicsoft.com FAX: (973) 952-5050 http://www.jdrosen.net PHONE: (973) 952-5000 http://www.dynamicsoft.com _______________________________________________ midcom mailing list midcom@ietf.org https://www1.ietf.org/mailman/listinfo/midcom
- [midcom] More on new work item Melinda Shore
- Re: [midcom] More on new work item Jonathan Rosenberg
- RE: [midcom] More on new work item Christopher A. Martin
- Re: [midcom] More on new work item Melinda Shore
- RE : [midcom] More on new work item Joel Tran
- Re: RE : [midcom] More on new work item Jonathan Rosenberg
- Re: RE : [midcom] More on new work item Joel Tran
- Re: RE : [midcom] More on new work item Jonathan Rosenberg
- Re: RE : [midcom] More on new work item Joel Tran
- Re: RE : [midcom] More on new work item Melinda Shore
- Re: RE : [midcom] More on new work item Jonathan Rosenberg
- RE : RE : [midcom] More on new work item Joel Tran
- Re: RE : RE : [midcom] More on new work item Melinda Shore
- RE: RE : RE : [midcom] More on new work item Christian Huitema
- RE : RE : [midcom] More on new work item Joel Tran
- Re: RE : RE : [midcom] More on new work item Jonathan Rosenberg