RE : RE : [midcom] More on new work item

["Joel Tran" <joel.tran at USherbrooke.ca>]

Response inline.

>
> >
> >
> >>* assuming no other nats between the user and the ISP NAT,
> there is a
> >>correlation that needs to be made somewhere between the
> >>username/password and the IP address thats allocated to them. This
> >>would require some really convoluted coupling between DHCP (which
> >>can tell you
> >>the MAC/IP binding) and customer provisioning systems (which
> >>*might* be
> >>able to tell you the MAC used by a customers cable modem)
> and the ISP
> >>firewall, to make sure that a user can only make changes for
> >>their own
> >>IP. This seems pretty complicated to me.
> >
> >
> > I don't think we require a big correlation (User/PWD/IP) in
> order to
> > provide a security mechanism. For example, the rules can be :
> >
> >   1 - Pinholes can only be created for the source address.
> >   2 - User joe can only create 10 pinholes or IP source can only
> > create 10 pinholes.
> >   3 - ...
>
> This rule is susceptible to source address spoofing attacks. It would
> allow me to direct traffic at a target by faking my source IP
> to be that
> of the target.

I think DHCP is used mainly by ISP in two cases. The first case concerns the
assingment of pseudo-static IP address to client using a DHCP. This
technique is mainly used in a shared medium context (cable user for
instance). The second case concerns the assingment of dynamic IP address to
client. This is mainly used with PPP link (PPOE ADSL network and dialup for
instance).

In the first case, it is easy to make a policy with the IP/MAC to an user
since it is pseudo-static. An attacker would have to clone the MAC/IP and
find the correct user/pwd to do a sproofing attacks.

In the second case, since a PPP connection is used, it is easy to detect and
filter sproofing with a proper rule.

...J



_______________________________________________
midcom mailing list
midcom@ietf.org
https://www1.ietf.org/mailman/listinfo/midcom