Re: [BEHAVE] [NAT64] Hairpinning loop

To: Dan Wing <dwing at cisco.com>
Subject: Re: [BEHAVE] [NAT64] Hairpinning loop
From: Brian E Carpenter <brian.e.carpenter at gmail.com>
Date: Sat, 07 Nov 2009 10:28:37 +1300
Cc: draft-ietf-behave-address-format at tools.ietf.org, 'Behave WG' <behave at ietf.org>
Delivered-to: behave at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :organization:user-agent:mime-version:to:cc:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=rogVoz7wn+vlNiy1/QztiJbdrI1nFX01RlA91yM6He0=; b=MQ3tlnKJRsIZOzWMxC88Io8XkVgWH60cZ4VXtzRMBwtTbkjtA9LDjPoMZoRsoWERM4 fVHo8c2yAX/Iwme1f9fQMlTqIwo+r5mchQt6tMupXOtZqxUR5PSYAva4VbgFUYH3WIT7 Hf43dTZtyhBElFOA4akwcwgr0OAT4ckb5JTfQ=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; b=aNqZ/M6ZwONZxRBzIkE/LrwthLL2rA7akbdpublKqzjl8XpkrF4Oei0R72Ru2ud8lG GpG2WtVbWcRs4BM6K//E9ER2spaMPuunuPZcW2xxLfx9wHl/0IPbKmeli5n1XYo7PWyz mC/hjaClOnQ4AxetpTfUtloef9vsWenMY4554=
In-reply-to: <087601ca5e77$f24381b0$c6f0200a at cisco.com>
List-archive: <http://www.ietf.org/mail-archive/web/behave>
List-help: <mailto:behave-request@ietf.org?subject=help>
List-id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-post: <mailto:behave@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
Organization: University of Auckland
References: <4AF34349.40503 at viagenie.ca> <087601ca5e77$f24381b0$c6f0200a at cisco.com>
User-agent: Thunderbird 2.0.0.6 (Windows/20070728)

On 2009-11-06 13:27, Dan Wing wrote:
>  
> 
>> -----Original Message-----
>> From: behave-bounces at ietf.org 
>> [mailto:behave-bounces at ietf.org] On Behalf Of Simon Perreault
>> Sent: Thursday, November 05, 2009 1:28 PM
>> To: Behave WG
>> Subject: [BEHAVE] [NAT64] Hairpinning loop
>>
>> Hello,
>>
>> In draft-ietf-behave-v6v4-xlate-stateful-02, Section 6 contains the
>> following text:
>>
>>    TBD: Is there such a thing as a hairpin loop (likely not naturally,
>>    but perhaps through a special-crafted attack packet with a spoofed
>>    source address)?  If so, need to drop packets that hairpin 
>> more than
>>    once.
>>
>> I believe that the answer is yes.

On reading section 6 a few times, I couldn't figure out a case where
sending a hairpin packet would actually have any value to a user.
There will always be another way of reaching the intended destination
with a native IPv6 address.

So unless this is wrong, why not just say that all hairpin packets
MUST be discarded?

  Brian
>>
>> If the IPv6-only client can guess the IPv4 binding address 
>> that will be
>> created, it can use the IPv6 representation of it as source 
>> address for
>> creating this binding. Then any packet sent to the binding's IPv4
>> address will loop in the NAT64.
>>
>>
>> Example:
>>
>> IPv4 pool => 192.0.2.0/24
>>
>> IPv6-only client sends this to NAT64:
>>
>> Source: [Pref64::192.0.2.1]:500
>> Destination: whatever
>>
>> The NAT64 allocates 192.0.2.1:500 as IPv4 binding address.
>>
>> Now anything sent to 192.0.2.1:500, be it a hairpinned IPv6 
>> packet or an
>> IPv4 packet, will loop.
>>
>>
>> How hard is it to guess? Easy. First you create a binding and use e.g.
>> STUN to know your external IPv4. New bindings will always have this
>> address. Then you use a source port in the range 1-1023. This will
>> increase your chances to 1/512 (since range and parity must be
>> preserved). Many NAT44 implementations today will go further and
>> allocate the same source port if it is available.
>>
>>
>> Easy fix: Drop IPv6 packets whose source address is in Pref64::/n. (Is
>> this mentioned somewhere already? I couldn't find anything having this
>> effect.)
> 
> Yes, that mitigation is described in
> http://tools.ietf.org/html/draft-ietf-behave-address-format-01#section-4.1
> 
> However, the security considerations section does not mention the
> attack you are describing; it probably should.  I CC'd the authors.
> 
>> Does this make sense?
> 
> Yes.
> 
> -d
> 
>> Simon
>> -- 
>> DNS64 open-source   --> http://ecdysis.viagenie.ca
>> STUN/TURN server    --> http://numb.viagenie.ca
>> vCard 4.0           --> http://www.vcarddav.org
>> _______________________________________________
>> Behave mailing list
>> Behave at ietf.org
>> https://www.ietf.org/mailman/listinfo/behave
> 
> _______________________________________________
> Behave mailing list
> Behave at ietf.org
> https://www.ietf.org/mailman/listinfo/behave
>

Follow-Ups:
- Re: [BEHAVE] [NAT64] Hairpinning loop
  - From: Simon Perreault

References:
- [BEHAVE] [NAT64] Hairpinning loop
  - From: Simon Perreault
- Re: [BEHAVE] [NAT64] Hairpinning loop
  - From: Dan Wing

Prev by Date: Re: [BEHAVE] I-D Action:draft-ietf-behave-v6v4-xlate-03.txt
Next by Date: Re: [BEHAVE] Review of draft-boucadair-behave-dns-a64-01
Previous by thread: Re: [BEHAVE] [NAT64] Hairpinning loop
Next by thread: Re: [BEHAVE] [NAT64] Hairpinning loop
Index(es):
- Date
- Thread

Re: [BEHAVE] [NAT64] Hairpinning loop

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.