Re: [BEHAVE] [NAT64] Hairpinning loop

To: "'Simon Perreault'" <simon.perreault at viagenie.ca>, "'Behave WG'" <behave at ietf.org>
Subject: Re: [BEHAVE] [NAT64] Hairpinning loop
From: "Dan Wing" <dwing at cisco.com>
Date: Thu, 5 Nov 2009 16:27:38 -0800
Authentication-results: sj-iport-2.cisco.com; dkim=neutral (message not signed) header.i=none
Cc: draft-ietf-behave-address-format at tools.ietf.org
Delivered-to: behave at core3.amsl.com
In-reply-to: <4AF34349.40503 at viagenie.ca>
List-archive: <http://www.ietf.org/mail-archive/web/behave>
List-help: <mailto:behave-request@ietf.org?subject=help>
List-id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-post: <mailto:behave@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
References: <4AF34349.40503 at viagenie.ca>
Thread-index: AcpeXtSVfhiiKTrCQLeUEPmXfM+7SwAGPCpQ

 

> -----Original Message-----
> From: behave-bounces at ietf.org 
> [mailto:behave-bounces at ietf.org] On Behalf Of Simon Perreault
> Sent: Thursday, November 05, 2009 1:28 PM
> To: Behave WG
> Subject: [BEHAVE] [NAT64] Hairpinning loop
> 
> Hello,
> 
> In draft-ietf-behave-v6v4-xlate-stateful-02, Section 6 contains the
> following text:
> 
>    TBD: Is there such a thing as a hairpin loop (likely not naturally,
>    but perhaps through a special-crafted attack packet with a spoofed
>    source address)?  If so, need to drop packets that hairpin 
> more than
>    once.
> 
> I believe that the answer is yes.
> 
> If the IPv6-only client can guess the IPv4 binding address 
> that will be
> created, it can use the IPv6 representation of it as source 
> address for
> creating this binding. Then any packet sent to the binding's IPv4
> address will loop in the NAT64.
> 
> 
> Example:
> 
> IPv4 pool => 192.0.2.0/24
> 
> IPv6-only client sends this to NAT64:
> 
> Source: [Pref64::192.0.2.1]:500
> Destination: whatever
> 
> The NAT64 allocates 192.0.2.1:500 as IPv4 binding address.
> 
> Now anything sent to 192.0.2.1:500, be it a hairpinned IPv6 
> packet or an
> IPv4 packet, will loop.
> 
> 
> How hard is it to guess? Easy. First you create a binding and use e.g.
> STUN to know your external IPv4. New bindings will always have this
> address. Then you use a source port in the range 1-1023. This will
> increase your chances to 1/512 (since range and parity must be
> preserved). Many NAT44 implementations today will go further and
> allocate the same source port if it is available.
> 
> 
> Easy fix: Drop IPv6 packets whose source address is in Pref64::/n. (Is
> this mentioned somewhere already? I couldn't find anything having this
> effect.)

Yes, that mitigation is described in
http://tools.ietf.org/html/draft-ietf-behave-address-format-01#section-4.1

However, the security considerations section does not mention the
attack you are describing; it probably should.  I CC'd the authors.

> Does this make sense?

Yes.

-d

> Simon
> -- 
> DNS64 open-source   --> http://ecdysis.viagenie.ca
> STUN/TURN server    --> http://numb.viagenie.ca
> vCard 4.0           --> http://www.vcarddav.org
> _______________________________________________
> Behave mailing list
> Behave at ietf.org
> https://www.ietf.org/mailman/listinfo/behave

Follow-Ups:
- Re: [BEHAVE] [NAT64] Hairpinning loop
  - From: Brian E Carpenter

References:
- [BEHAVE] [NAT64] Hairpinning loop
  - From: Simon Perreault

Prev by Date: Re: [BEHAVE] Opsdir Review of draft-ietf-behave-turn-uri-03.txt
Next by Date: Re: [BEHAVE] I-D Action:draft-ietf-behave-v6v4-xlate-03.txt
Previous by thread: [BEHAVE] [NAT64] Hairpinning loop
Next by thread: Re: [BEHAVE] [NAT64] Hairpinning loop
Index(es):
- Date
- Thread

Re: [BEHAVE] [NAT64] Hairpinning loop

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.