Re: RE : [midcom] More on new work item
"Joel Tran" <joel.tran@USherbrooke.ca> Fri, 30 April 2004 17:23 UTC
Received: from optimus.ietf.org (www.iesg.org [132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA16126 for <midcom-archive@odin.ietf.org>; Fri, 30 Apr 2004 13:23:52 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BJbez-00082V-J5 for midcom-archive@odin.ietf.org; Fri, 30 Apr 2004 13:18:49 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i3UHIncY030903 for midcom-archive@odin.ietf.org; Fri, 30 Apr 2004 13:18:49 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BJbXS-0006et-GU; Fri, 30 Apr 2004 13:11:02 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BJbN0-0004Kp-2B for midcom@optimus.ietf.org; Fri, 30 Apr 2004 13:00:14 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA14553 for <midcom@ietf.org>; Fri, 30 Apr 2004 13:00:10 -0400 (EDT)
Received: from ietf-mx.ietf.org ([132.151.6.1] helo=ietf-mx) by ietf-mx with esmtp (Exim 4.32) id 1BJbMy-0000b4-9L for midcom@ietf.org; Fri, 30 Apr 2004 13:00:12 -0400
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1BJbM4-0000VE-00 for midcom@ietf.org; Fri, 30 Apr 2004 12:59:17 -0400
Received: from smtp.usherbrooke.ca ([132.210.244.17] helo=courrier3.usherbrooke.ca) by ietf-mx with esmtp (Exim 4.12) id 1BJbL9-0000Np-00 for midcom@ietf.org; Fri, 30 Apr 2004 12:58:19 -0400
Received: from kamel (traj1901.gel.usherb.ca [132.210.72.178]) by courrier3.usherbrooke.ca (8.11.6/8.11.6) with ESMTP id i3UGvbg26673; Fri, 30 Apr 2004 12:57:37 -0400
From: Joel Tran <joel.tran@USherbrooke.ca>
To: jdrosen@dynamicsoft.com
Cc: midcom@ietf.org, 'Melinda Shore' <mshore@cisco.com>
Subject: Re: RE : [midcom] More on new work item
Date: Fri, 30 Apr 2004 12:57:07 -0400
Message-ID: <000701c42ed4$2ec76360$b248d284@kamel>
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.4510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
Importance: Normal
X-UdeS-MailScanner-Information: Veuillez consulter le http://www.usherbrooke.ca/vers/virus-courriel
X-UdeS-MailScanner: Aucun code suspect détecté
X-MailScanner-SpamCheck: n'est pas un polluriel, SpamAssassin (score=-4.9, requis 5, autolearn=not spam, BAYES_00 -4.90)
X-MailScanner-From: joel.tran@usherbrooke.ca
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.0 required=5.0 tests=AWL autolearn=no version=2.60
Sender: midcom-admin@ietf.org
Errors-To: midcom-admin@ietf.org
X-BeenThere: midcom@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/midcom>, <mailto:midcom-request@ietf.org?subject=unsubscribe>
List-Id: <midcom.ietf.org>
List-Post: <mailto:midcom@ietf.org>
List-Help: <mailto:midcom-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/midcom>, <mailto:midcom-request@ietf.org?subject=subscribe>
> -----Message d'origine----- > De : Jonathan Rosenberg [mailto:jdrosen@dynamicsoft.com] > Envoyé : 30 avril, 2004 11:42 > À : Joel Tran > Cc : 'Melinda Shore'; midcom@ietf.org > Objet : Re: RE : [midcom] More on new work item > > > > > Joel Tran wrote: > > > >>There is a serious trust issue here. Is the ISP really > going to issue > >>a > >>username and password to every user of their network, > entrusting them > >>with permissions to use midcom to manage port bindings on > their network > >>wide NAT?? I certainly hope not. Thats an open invitation for > >>substantial denial of service attacks. > >> > >>-Jonathan R. > > > > > > Correct me if I'm wrong. I don't think it is an open invitation for > > DOS attack > > if there is a proper Access Control List/Policy Rule in the > Midcom device which > > may limit the use of the port bindings for each user. > > I don't think this can work easily. > > How would the ACL be structured? Presumably, you'd want to > say something > like, "user joe is allowed to open up pinholes directed to > his currently > allocated IP address". There are several major problems here: Yes I ment something like this. Something like the 1st Tuple of the Midcom entry has to be the IP adresse of the client/IP address from where the message is originating. > > * if there is any other NAT intervening the user and the > ISP's nat (very > common here in the US at least, due to residential NAT devices like > those made by linksys), this of course won't help even if you > work out > the ACL issues Yes traversing the home NAT is a problem. Just a quick question, is there a solution avaible for traversing both home and ISP NAT (excluding relaying) when two peers are under such topology? If yes, we could probably learn form them how they solve the situtation. > * assuming no other nats between the user and the ISP NAT, there is a > correlation that needs to be made somewhere between the > username/password and the IP address thats allocated to them. > This would > require some really convoluted coupling between DHCP (which > can tell you > the MAC/IP binding) and customer provisioning systems (which > *might* be > able to tell you the MAC used by a customers cable modem) and the ISP > firewall, to make sure that a user can only make changes for > their own > IP. This seems pretty complicated to me. I don't think we require a big correlation (User/PWD/IP) in order to provide a security mechanism. For example, the rules can be : 1 - Pinholes can only be created for the source address. 2 - User joe can only create 10 pinholes or IP source can only create 10 pinholes. 3 - ... > * Its also not clear to me that there aren't security holes > in the whole > thing that might enable someone to learn the passwords and usernames > needed to control bindings for other IP addresses. I'm not an SNMPv3 expert but I think that the security mechanism (USM/encryption) provided by SNMPv3 is strong enough so that it will be hard for someone to break trough and discover the user name/password or try to get unrestricted access. > * I dont know whether the MIBs include sufficient ACLs for > the above to > work (have not looked) In my understanding (from the mailing list), Midcom MIB document is not finished yet. Probably we will have to wait to see if the MIB will have sufficient ACLs. > IMHO, the topological issues with midcom, which we have long > been aware > of, combined with the CONTROL nature of the relationship between the > agent and the client, really point to applicability limited > to a trusted > device that controls a neighboring firewall or NAT, thus useful for > carrier edge or large enterprise edge applications. In general, I do agree with you. However, in this case I was only trying to find a solution in order to provide a full peer to peer solution (not only for SIP where a server can be the trusted control certer) for various kind of topology. ...J _______________________________________________ midcom mailing list midcom@ietf.org https://www1.ietf.org/mailman/listinfo/midcom
- [midcom] More on new work item Melinda Shore
- Re: [midcom] More on new work item Jonathan Rosenberg
- RE: [midcom] More on new work item Christopher A. Martin
- Re: [midcom] More on new work item Melinda Shore
- RE : [midcom] More on new work item Joel Tran
- Re: RE : [midcom] More on new work item Jonathan Rosenberg
- Re: RE : [midcom] More on new work item Joel Tran
- Re: RE : [midcom] More on new work item Jonathan Rosenberg
- Re: RE : [midcom] More on new work item Joel Tran
- Re: RE : [midcom] More on new work item Melinda Shore
- Re: RE : [midcom] More on new work item Jonathan Rosenberg
- RE : RE : [midcom] More on new work item Joel Tran
- Re: RE : RE : [midcom] More on new work item Melinda Shore
- RE: RE : RE : [midcom] More on new work item Christian Huitema
- RE : RE : [midcom] More on new work item Joel Tran
- Re: RE : RE : [midcom] More on new work item Jonathan Rosenberg