[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [NSIS] new draft about security threats for the NAT/firewall NSLP

To: <ali.fessi at netlab.nec.de>
Subject: RE: [NSIS] new draft about security threats for the NAT/firewall NSLP
From: Franck.Le at nokia.com
Date: Fri, 28 May 2004 16:59:57 -0500
Cc: nsis at ietf.org
List-help: <mailto:nsis-request@ietf.org?subject=help>
List-id: Next Steps in Signaling <nsis.ietf.org>
List-post: <mailto:nsis@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/nsis>, <mailto:nsis-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/nsis>, <mailto:nsis-request@ietf.org?subject=unsubscribe>
Sender: nsis-bounces at ietf.org
Thread-index: AcRE5/Z0rQUea9A2RhaIoaRFKTkKNAAFQrGg
Thread-topic: [NSIS] new draft about security threats for the NAT/firewall NSLP

Hello Ali,

Thank you for your reply.

I agree with you that a malicous node who wants to exhaust the battery and the network resources of a victim can use any type of traffic to flood the victim. Most firewalls typically block incoming unsolicited data in order to avoid such threat.
(Unsolicited messages can actually create more damages in cellular networks as outlined in the 3GPP2 Network Firewall Configuration and Control specification).

The natfw-nslp, on the contrary, require firewalls to forward the nslp messages.
Such requirement may therefore open the door for flooding. 
Since this requirement is specific of natfw-nslp and because of such requirement, this type of attack is possible, I was thinking it could useful to report the threat in the "Security Threats for the NAT/Firewall NSLP" draft or at least in the security consideration of the "NAT/Firewall NSIS Signaling Layer Protocol (NSLP)" draft.

Would you agree?

Franck

> -----Original Message-----
> From: ext Ali Fessi [mailto:ali.fessi at netlab.nec.de]
> Sent: 28 May, 2004 02:13 PM
> To: Le Franck (Nokia-NRC/Dallas)
> Cc: nsis at ietf.org
> Subject: Re: [NSIS] new draft about security threats for the
> NAT/firewall NSLP
> 
> 
> Hi Franck,
> 
> thanks for reading the draft and thanks for your feedback.
> 
> We focused the draft on the way how unauthorized users could use the 
> natfw-nslp to install policy rules for their advantage, since this is 
> our main concern.
> 
> About the threat that you suggested: i think it is not 
> specific for the 
> natfw-nslp. You could flood the victim with any kind of data 
> traffic if 
> you want to exhaust his battery or the resources of his 
> access network. 
> i don't think that this threat fits well in the document.
> 
> ciao, Ali.
> -- 
> Ali Fessi
> NEC Network Laboratories     Kurfürsten-Anlage 36, D-69115 Heidelberg
> Phone: (+49) 6221 9051151    Email: ali.fessi at netlab.nec.de
> 
> 
> Franck.Le at nokia.com wrote:
> 
> >Hello,
> >
> >Thank you for the internet draft. It is a good document that 
> can be helpful when designing the security solutions for the 
> NAT/FW NSLP. Many of the threats have been identified and 
> described. The following one is however not mentioned but 
> might be relevant: The NAT/FW NSLP requiring firewalls to 
> forward NSLP messages, a malicious node may keep sending NSLP 
> messages to a target. This may consume the access network 
> resources of the victim, drain the battery of the victim's 
> terminal and may force the victim to pay for the received 
> although undesired requests (especially in cellular networks).
> >
> >Would you agree with this threat? Should it be included in 
> the document as well?
> >
> >Thank you,
> >
> >Franck
> >
> >
> >
> >  
> >
> >>-----Original Message-----
> >>From: nsis-bounces at ietf.org 
> [mailto:nsis-bounces at ietf.org]On Behalf Of
> >>ext Ali Fessi
> >>Sent: 25 May, 2004 11:56 AM
> >>To: nsis at ietf.org
> >>Cc: Martin Stiemerling; Tschofenig Hannes
> >>Subject: [NSIS] new draft about security threats for the 
> NAT/firewall
> >>NSLP 
> >>
> >>
> >>Dear all,
> >>
> >>after some discussions within the NAT/firewall NSLP team, we 
> >>decided to 
> >>make a full analysis of the security threats for the 
> >>NAT/firewall NSLP 
> >>before we continue.
> >>
> >>We submitted a new draft "Security Threats for the 
> NAT/Firewall NSLP".
> >>
> >>If you want to have a look at it before it becomes available in the
> >>I-D repository, please have a look at:
> >>
> >>ftp://ftp.ccrle.nec.de/pub/internet-drafts/draft-fessi-nsis-na
> >>tfw-threats-00.txt
> >>
> >>Comments are very welcome!!
> >>Thanks,
> >>Ali.
> >>--
> >>Ali Fessi
> >>NEC Network Laboratories     Kurfürsten-Anlage 36, D-69115 
> Heidelberg
> >>Phone: (+49) 6221 9051151    Email: ali.fessi at netlab.nec.de
> >>
> >>
> >>_______________________________________________
> >>nsis mailing list
> >>nsis at ietf.org
> >>https://www1.ietf.org/mailman/listinfo/nsis
> >>
> >>    
> >>
> >
> >
> >  
> >
> 
> 

_______________________________________________
nsis mailing list
nsis at ietf.org
https://www1.ietf.org/mailman/listinfo/nsis

Follow-Ups:
- RE: [NSIS] new draft about security threats for the NAT/firewall NSLP
  - From: Martin Stiemerling
- RE: [NSIS] new draft about security threats for the NAT/firewall NSLP
  - From: Hannes Tschofenig

Prev by Date: [NSIS] RE: I-D ACTION:draft-ash-nsis-nslp-qspec-00.txt
Next by Date: RE: [NSIS] New NATFW NSLP I-D: draft-ieft-nsis-nslp-natfw-02.txt
Previous by thread: Re: [NSIS] new draft about security threats for the NAT/firewall NSLP
Next by thread: RE: [NSIS] new draft about security threats for the NAT/firewall NSLP
Index(es):
- Date
- Thread