Re: [tcpm] possible NAT support for TCP-AO
Ron Bonica <rbonica@juniper.net> Mon, 13 July 2009 23:02 UTC
Return-Path: <rbonica@juniper.net>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E5D693A6E62 for <tcpm@core3.amsl.com>; Mon, 13 Jul 2009 16:02:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MkIYAcgOAzRd for <tcpm@core3.amsl.com>; Mon, 13 Jul 2009 16:02:02 -0700 (PDT)
Received: from exprod7og112.obsmtp.com (exprod7og112.obsmtp.com [64.18.2.177]) by core3.amsl.com (Postfix) with ESMTP id 1E67C3A6C51 for <tcpm@ietf.org>; Mon, 13 Jul 2009 16:02:00 -0700 (PDT)
Received: from source ([66.129.224.36]) (using TLSv1) by exprod7ob112.postini.com ([64.18.6.12]) with SMTP ID DSNKSlu9A+KPc1ZJlcRIcWPcKE4YHSfItRNT@postini.com; Mon, 13 Jul 2009 16:02:31 PDT
Received: from p-emfe01-wf.jnpr.net (172.28.145.24) by P-EMHUB02-HQ.jnpr.net (172.24.192.36) with Microsoft SMTP Server (TLS) id 8.1.375.2; Mon, 13 Jul 2009 15:59:46 -0700
Received: from [172.28.134.11] (172.28.134.11) by p-emfe01-wf.jnpr.net (172.28.145.22) with Microsoft SMTP Server (TLS) id 8.1.375.2; Mon, 13 Jul 2009 18:59:45 -0400
Message-ID: <4A5BBC5E.8030600@juniper.net>
Date: Mon, 13 Jul 2009 18:59:42 -0400
From: Ron Bonica <rbonica@juniper.net>
User-Agent: Thunderbird 2.0.0.22 (Windows/20090605)
MIME-Version: 1.0
To: Joe Touch <touch@ISI.EDU>
References: <4A5B9FEB.6080706@isi.edu>
In-Reply-To: <4A5B9FEB.6080706@isi.edu>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: tcpm Extensions WG <tcpm@ietf.org>
Subject: Re: [tcpm] possible NAT support for TCP-AO
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jul 2009 23:02:03 -0000
Joe,
If TCP-AO were for the exclusive use of BGP, I wouldn't worry so much
about NAT. Nobody (to the best of my knowlege) runs BGP across a NAT
boundary.
If TCP-AO is being designed for non-BGP applications also, the tweaks
that Joe describes make perfect sense. They appear to be simple enough
and shouldn't take too long to document.
Ron
Joe Touch wrote:
> Hi, all,
>
> Based on a discussion on a different list with Dan Wing, I'd like to
> revisit thinking about NATs in the context of the current AO, which uses
> traffic keys derived from the socket pair and ISN pair. We might be able
> to now support NATs as follows, e.g.:
>
> add the following flags to the MKT:
>
> localNAT flag - indicates whether the local IP/port are
> zeroed before MAC calculation
>
> remoteNAT flag - indicates whether the remote IP/port
> are zeroed before MAC calculation
>
> add steps to the incoming/outgoing processing:
> zero the corresponding IP/port when the flag indicates,
> both on outgoing and incoming MAC calculation
>
> That's basically it. A client behind a NAT would have a MKT with
> localNAT true, and a server for that client would need to have a MKT
> with remoteNAT true. This does require careful MKT configuration.
> Although I wouldn't expect both localNAT and remoteNAT to be true, there
> isn't a particular reason it needs to be prohibited.
>
> Here's the security impact:
>
> - no impact to other connections (AFAICT)
>
> - SYN/SYN-ACKs limited only as much as the MKT TCP connection
> ID is, i.e., as a small range or single value rather than
> wildcard for either address or port
>
> - connections are reasonably well-protected once established,
> much like BTNS (due to use of both ISNs in the traffic keys)
>
> - reduced entropy for the traffic keys from a given MKT,
> since their input could be limited to the ISN pair in the
> worst case
>
> I did NOT include this in TCP-AO-05, but it's simple enough to add if
> useful. I'd like to ask that we think about this before Stockholm, and
> discuss it on the list if possible in advance.
>
> Joe
_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www.ietf.org/mailman/listinfo/tcpm
.
- Re: [tcpm] possible NAT support for TCP-AO Joe Touch
- [tcpm] possible NAT support for TCP-AO Joe Touch
- Re: [tcpm] possible NAT support for TCP-AO Ron Bonica
- Re: [tcpm] possible NAT support for TCP-AO Gregory M. Lebovitz
- Re: [tcpm] possible NAT support for TCP-AO Eric Rescorla