Re: [tcpm] possible NAT support for TCP-AO
Ron Bonica <rbonica@juniper.net> Mon, 13 July 2009 23:02 UTC
Return-Path: <rbonica@juniper.net>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E5D693A6E62 for <tcpm@core3.amsl.com>; Mon, 13 Jul 2009 16:02:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MkIYAcgOAzRd for <tcpm@core3.amsl.com>; Mon, 13 Jul 2009 16:02:02 -0700 (PDT)
Received: from exprod7og112.obsmtp.com (exprod7og112.obsmtp.com [64.18.2.177]) by core3.amsl.com (Postfix) with ESMTP id 1E67C3A6C51 for <tcpm@ietf.org>; Mon, 13 Jul 2009 16:02:00 -0700 (PDT)
Received: from source ([66.129.224.36]) (using TLSv1) by exprod7ob112.postini.com ([64.18.6.12]) with SMTP ID DSNKSlu9A+KPc1ZJlcRIcWPcKE4YHSfItRNT@postini.com; Mon, 13 Jul 2009 16:02:31 PDT
Received: from p-emfe01-wf.jnpr.net (172.28.145.24) by P-EMHUB02-HQ.jnpr.net (172.24.192.36) with Microsoft SMTP Server (TLS) id 8.1.375.2; Mon, 13 Jul 2009 15:59:46 -0700
Received: from [172.28.134.11] (172.28.134.11) by p-emfe01-wf.jnpr.net (172.28.145.22) with Microsoft SMTP Server (TLS) id 8.1.375.2; Mon, 13 Jul 2009 18:59:45 -0400
Message-ID: <4A5BBC5E.8030600@juniper.net>
Date: Mon, 13 Jul 2009 18:59:42 -0400
From: Ron Bonica <rbonica@juniper.net>
User-Agent: Thunderbird 2.0.0.22 (Windows/20090605)
MIME-Version: 1.0
To: Joe Touch <touch@ISI.EDU>
References: <4A5B9FEB.6080706@isi.edu>
In-Reply-To: <4A5B9FEB.6080706@isi.edu>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: tcpm Extensions WG <tcpm@ietf.org>
Subject: Re: [tcpm] possible NAT support for TCP-AO
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jul 2009 23:02:03 -0000
Joe, If TCP-AO were for the exclusive use of BGP, I wouldn't worry so much about NAT. Nobody (to the best of my knowlege) runs BGP across a NAT boundary. If TCP-AO is being designed for non-BGP applications also, the tweaks that Joe describes make perfect sense. They appear to be simple enough and shouldn't take too long to document. Ron Joe Touch wrote: > Hi, all, > > Based on a discussion on a different list with Dan Wing, I'd like to > revisit thinking about NATs in the context of the current AO, which uses > traffic keys derived from the socket pair and ISN pair. We might be able > to now support NATs as follows, e.g.: > > add the following flags to the MKT: > > localNAT flag - indicates whether the local IP/port are > zeroed before MAC calculation > > remoteNAT flag - indicates whether the remote IP/port > are zeroed before MAC calculation > > add steps to the incoming/outgoing processing: > zero the corresponding IP/port when the flag indicates, > both on outgoing and incoming MAC calculation > > That's basically it. A client behind a NAT would have a MKT with > localNAT true, and a server for that client would need to have a MKT > with remoteNAT true. This does require careful MKT configuration. > Although I wouldn't expect both localNAT and remoteNAT to be true, there > isn't a particular reason it needs to be prohibited. > > Here's the security impact: > > - no impact to other connections (AFAICT) > > - SYN/SYN-ACKs limited only as much as the MKT TCP connection > ID is, i.e., as a small range or single value rather than > wildcard for either address or port > > - connections are reasonably well-protected once established, > much like BTNS (due to use of both ISNs in the traffic keys) > > - reduced entropy for the traffic keys from a given MKT, > since their input could be limited to the ISN pair in the > worst case > > I did NOT include this in TCP-AO-05, but it's simple enough to add if > useful. I'd like to ask that we think about this before Stockholm, and > discuss it on the list if possible in advance. > > Joe _______________________________________________ tcpm mailing list tcpm@ietf.org https://www.ietf.org/mailman/listinfo/tcpm .
- Re: [tcpm] possible NAT support for TCP-AO Joe Touch
- [tcpm] possible NAT support for TCP-AO Joe Touch
- Re: [tcpm] possible NAT support for TCP-AO Ron Bonica
- Re: [tcpm] possible NAT support for TCP-AO Gregory M. Lebovitz
- Re: [tcpm] possible NAT support for TCP-AO Eric Rescorla