[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RE : [midcom] More on new work item

To: Joel Tran <joel.tran at USherbrooke.ca>
Subject: Re: RE : [midcom] More on new work item
From: Jonathan Rosenberg <jdrosen at dynamicsoft.com>
Date: Fri, 30 Apr 2004 11:42:19 -0400
Cc: "'Melinda Shore'" <mshore at cisco.com>, midcom at ietf.org
In-reply-to: <1083335900.409264dc864e3@www.usherbrooke.ca>
List-help: <mailto:midcom-request@ietf.org?subject=help>
List-id: <midcom.ietf.org>
List-post: <mailto:midcom@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/midcom>,<mailto:midcom-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/midcom>,<mailto:midcom-request@ietf.org?subject=unsubscribe>
Organization: dynamicsoft
References: <000601c42dfb$648eae10$b248d284@kamel> <40917970.4050604@dynamicsoft.com> <1083335900.409264dc864e3@www.usherbrooke.ca>
Sender: midcom-admin at ietf.org
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113


Joel Tran wrote:

There is a serious trust issue here. Is the ISP really going to issue a username and password to every user of their network, entrusting them with permissions to use midcom to manage port bindings on their network wide NAT?? I certainly hope not. Thats an open invitation for substantial denial of service attacks.

-Jonathan R.

Correct me if I'm wrong. I don't think it is an open invitation for DOS attack if there is a proper Access Control List/Policy Rule in the Midcom device which may limit the use of the port bindings for each user.

I don't think this can work easily.

How would the ACL be structured? Presumably, you'd want to say something like, "user joe is allowed to open up pinholes directed to his currently allocated IP address". There are several major problems here:

* if there is any other NAT intervening the user and the ISP's nat (very common here in the US at least, due to residential NAT devices like those made by linksys), this of course won't help even if you work out the ACL issues

* assuming no other nats between the user and the ISP NAT, there is a correlation that needs to be made somewhere between the username/password and the IP address thats allocated to them. This would require some really convoluted coupling between DHCP (which can tell you the MAC/IP binding) and customer provisioning systems (which *might* be able to tell you the MAC used by a customers cable modem) and the ISP firewall, to make sure that a user can only make changes for their own IP. This seems pretty complicated to me.

* Its also not clear to me that there aren't security holes in the whole thing that might enable someone to learn the passwords and usernames needed to control bindings for other IP addresses.

* I dont know whether the MIBs include sufficient ACLs for the above to work (have not looked)

IMHO, the topological issues with midcom, which we have long been aware of, combined with the CONTROL nature of the relationship between the agent and the client, really point to applicability limited to a trusted device that controls a neighboring firewall or NAT, thus useful for carrier edge or large enterprise edge applications.

-Jonathan R.

--
Jonathan D. Rosenberg, Ph.D. 600 Lanidex Plaza
Chief Technology Officer Parsippany, NJ 07054-2711
dynamicsoft
jdrosen@dynamicsoft.com FAX: (973) 952-5050
http://www.jdrosen.net PHONE: (973) 952-5000
http://www.dynamicsoft.com

_______________________________________________
midcom mailing list
midcom@ietf.org
https://www1.ietf.org/mailman/listinfo/midcom

Follow-Ups:
- Re: RE : [midcom] More on new work item
  - From: Melinda Shore

References:
- RE : [midcom] More on new work item
  - From: Joel Tran
- Re: RE : [midcom] More on new work item
  - From: Jonathan Rosenberg
- Re: RE : [midcom] More on new work item
  - From: Joel Tran

Prev by Date: Re: RE : [midcom] More on new work item
Next by Date: Re: RE : [midcom] More on new work item
Previous by thread: Re: RE : [midcom] More on new work item
Next by thread: Re: RE : [midcom] More on new work item
Index(es):
- Date
- Thread