[tsvwg] Attacks using NAT bindings

Christian Huitema <huitema@huitema.net> Fri, 12 November 2021 16:48 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FF243A0C25 for <tsvwg@ietfa.amsl.com>; Fri, 12 Nov 2021 08:48:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YqICs4x831nR for <tsvwg@ietfa.amsl.com>; Fri, 12 Nov 2021 08:48:49 -0800 (PST)
Received: from mx36-out21.antispamcloud.com (mx36-out21.antispamcloud.com [209.126.121.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 098053A0C18 for <tsvwg@ietf.org>; Fri, 12 Nov 2021 08:48:46 -0800 (PST)
Received: from xse215.mail2web.com ([66.113.196.215] helo=xse.mail2web.com) by mx136.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1mlZjF-0005cv-Q1 for tsvwg@ietf.org; Fri, 12 Nov 2021 17:48:44 +0100
Received: from xsmtp22.mail2web.com (unknown [10.100.68.61]) by xse.mail2web.com (Postfix) with ESMTPS id 4HrPft1K77z9jr for <tsvwg@ietf.org>; Fri, 12 Nov 2021 08:48:38 -0800 (PST)
Received: from [10.5.2.49] (helo=xmail11.myhosting.com) by xsmtp22.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1mlZjC-0000df-1l for tsvwg@ietf.org; Fri, 12 Nov 2021 08:48:38 -0800
Received: (qmail 18931 invoked from network); 12 Nov 2021 16:48:37 -0000
Received: from unknown (HELO [192.168.1.105]) (Authenticated-user:_huitema@huitema.net@[172.58.43.195]) (envelope-sender <huitema@huitema.net>) by xmail11.myhosting.com (qmail-ldap-1.03) with ESMTPA for <tuexen@fh-muenster.de>; 12 Nov 2021 16:48:37 -0000
Message-ID: <66acc3c8-6ab8-4bd1-2225-aedd3b8782b3@huitema.net>
Date: Fri, 12 Nov 2021 08:48:37 -0800
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.3.0
Content-Language: en-US
To: Michael Tuexen <tuexen@fh-muenster.de>
Cc: "tsvwg@ietf.org" <tsvwg@ietf.org>
From: Christian Huitema <huitema@huitema.net>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Originating-IP: 66.113.196.215
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.196.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.196.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.15)
X-Recommended-Action: accept
X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT9WLQux0N3HQm8ltz8rnu+BPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5wK33BxCZ4Q1O8tWwOlQNPYfYzfQXcfqmra3dmoHS4ygq25 aqKzbHBoko5YlwQrtF9WuRWrkPihq53YqAd1ENNqBHtNXu1E6L4+KyOXc4QYanQOD0r6/AaHZiEt dTMtMlia0Lmg/jgHfCNZd+W+PXf6G1GW/nf/gsVEIolNFLciMyue9TLOhN8AYRsvkjfngQDjpf2k SyK8Bj8ZxpWAOKEIzDkBvlIN1pUDU5DU5DggD98cjIN3reG9z0FKKQ5m2Qpw7sOVVcM1Xk+Tdz6g /UMvfWqyN3veeFIMJz/vumcqAwMU9kjfE7EFo+kP5riIEUmxU01QhuxnshSbl6nxbLZ35/xY0uvo WBEOfzq3RG28wI7w4vcwqZanLHsZM8r4s5ZjlHoGly8aneNxj+pRyx6DAzHPcWsnfqGSaNoXhWPo OpFVgpT1b21uZVckGp0ccOZtuBWXiK6eoWgQZnNLL6SbpUc7peFeo3eDQNYbhOKhzzgqmaDn5SlD Y9mmtv6e91aWBLor1oCWetcUjeG94V2X+T+fZOoQ9zEcN1Sfon8ia6TeVLW3pB0Q/PTyowo5Afuf TfCGVxfV3gejDCEdxK+CCFXoGKtafvOtcW/mP16bynTCOInfd76oq4RH5afpA3RRyBl07OVp2D/S 9ogT8aIX6abOyKlLsxs8P4CT3FEuG0lDelU5uo9sG4qMlTe5GAGC1AI9a3irbifzymzQYX+PaZkq B6cWd65cpdrt+4Dt5TeyfkdDzrkt0DENlRt99I6KuZkMyFBGaEBYeh6pTEjUZbiHevdfscUSzey8 nZbnRn6m+UeFXprlCOm3BAEbJtAT1BYHStA0OogdNtRxnRSLF+XCKxIG9XMEgRDdaWpvCv+zESlk TxdSCNcDfRohcehWBb39uS1TjWG2Inx+Ts2QNOYPIz4ynMa7pZQ4hi/HGtuWeHzx9sLaQmDwvYQn 76e9NXttZBkk6PeFqH6So31P
X-Report-Abuse-To: spam@quarantine11.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/M83croQkUBT4Hd1J0pUQZmzeLl8>
Subject: [tsvwg] Attacks using NAT bindings
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Nov 2021 16:48:53 -0000

At the mike in the WG, I mentioned the attack surface enabled by support 
for NAT bindings and re-bindings. I did not see this class of attacks 
discussed in the security section of draft-ietf-tsvwg-natsupp-23.

The basic attack is to spoof a NAT rebinding. The attacker sends a 
message to one of the endpoints to make it believe that either its own 
NAT binding have changed, or the binding of the peer endpoint. The 
attacker can use that to either disrupt the connection, or insert itself 
in the middle of the connection. There are three kinds of such 
adversary: on path, on the side but seeing a copy of the traffic, and 
off path. On path adversaries can of course already disrupt the 
connection, so the security analysis should focus on "side" and "off 
path" adversaries. Can attacks be mounted by an off path adversary that 
just guesses some of the parameters of the connection? Can attacks be 
mounted by an on side adversary that sees the traffic and can inject its 
own packets?

I am no expert in SCTP, but it seems that some of the mechanisms defined 
in the draft could be used to mount such attacks. I am looking 
specifically to the "handling of missing state" considerations. It seems 
that "on the side" adversaries could spoof the ERROR messages sent by 
SCTP aware NATs, and may be able to spoof ASCONF chunks sent to endpoints.

It would be nice to either mitigate these attacks somehow, or at least 
document them in the security considerations.

-- Christian Huitema