[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [NSIS] new draft about security threats for the NAT/firewall NSLP

hi franck, 

you are right with your observation that we have envisioned scenarios where
the nsis nat/firewall signaling message needs to traverse the firewall to
allow both endpoints to authorize the creation of policy rules. this
circumstance might be exploited for the attack you mentioned.  

regarding your reference to the "3GPP2 Network Firewall Configuration and
Control specification" document. i remember that this document focused on
scenarios which go beyond the functionality currently offered by the current
nat/fw nslp specification. it might be useful to see where nsis could be
helpful. 

ciao
hannes

> -----Original Message-----
> From: Franck.Le at nokia.com [mailto:Franck.Le at nokia.com] 
> Sent: Samstag, 29. Mai 2004 00:00
> To: ali.fessi at netlab.nec.de
> Cc: nsis at ietf.org
> Subject: RE: [NSIS] new draft about security threats for the 
> NAT/firewall NSLP
> 
> Hello Ali,
> 
> Thank you for your reply.
> 
> I agree with you that a malicous node who wants to exhaust 
> the battery and the network resources of a victim can use any 
> type of traffic to flood the victim. Most firewalls typically 
> block incoming unsolicited data in order to avoid such threat.
> (Unsolicited messages can actually create more damages in 
> cellular networks as outlined in the 3GPP2 Network Firewall 
> Configuration and Control specification).
> 
> The natfw-nslp, on the contrary, require firewalls to forward 
> the nslp messages.
> Such requirement may therefore open the door for flooding. 
> Since this requirement is specific of natfw-nslp and because 
> of such requirement, this type of attack is possible, I was 
> thinking it could useful to report the threat in the 
> "Security Threats for the NAT/Firewall NSLP" draft or at 
> least in the security consideration of the "NAT/Firewall NSIS 
> Signaling Layer Protocol (NSLP)" draft.
> 
> Would you agree?
> 
> Franck
> 
> > -----Original Message-----
> > From: ext Ali Fessi [mailto:ali.fessi at netlab.nec.de]
> > Sent: 28 May, 2004 02:13 PM
> > To: Le Franck (Nokia-NRC/Dallas)
> > Cc: nsis at ietf.org
> > Subject: Re: [NSIS] new draft about security threats for the 
> > NAT/firewall NSLP
> > 
> > 
> > Hi Franck,
> > 
> > thanks for reading the draft and thanks for your feedback.
> > 
> > We focused the draft on the way how unauthorized users 
> could use the 
> > natfw-nslp to install policy rules for their advantage, 
> since this is 
> > our main concern.
> > 
> > About the threat that you suggested: i think it is not specific for 
> > the natfw-nslp. You could flood the victim with any kind of data 
> > traffic if you want to exhaust his battery or the resources of his 
> > access network.
> > i don't think that this threat fits well in the document.
> > 
> > ciao, Ali.
> > --
> > Ali Fessi
> > NEC Network Laboratories     Kurfürsten-Anlage 36, D-69115 
> Heidelberg
> > Phone: (+49) 6221 9051151    Email: ali.fessi at netlab.nec.de
> > 
> > 
> > Franck.Le at nokia.com wrote:
> > 
> > >Hello,
> > >
> > >Thank you for the internet draft. It is a good document that
> > can be helpful when designing the security solutions for the NAT/FW 
> > NSLP. Many of the threats have been identified and described. The 
> > following one is however not mentioned but might be relevant: The 
> > NAT/FW NSLP requiring firewalls to forward NSLP messages, a 
> malicious 
> > node may keep sending NSLP messages to a target. This may 
> consume the 
> > access network resources of the victim, drain the battery of the 
> > victim's terminal and may force the victim to pay for the received 
> > although undesired requests (especially in cellular networks).
> > >
> > >Would you agree with this threat? Should it be included in
> > the document as well?
> > >
> > >Thank you,
> > >
> > >Franck
> > >
> > >
> > >
> > >  
> > >
> > >>-----Original Message-----
> > >>From: nsis-bounces at ietf.org
> > [mailto:nsis-bounces at ietf.org]On Behalf Of
> > >>ext Ali Fessi
> > >>Sent: 25 May, 2004 11:56 AM
> > >>To: nsis at ietf.org
> > >>Cc: Martin Stiemerling; Tschofenig Hannes
> > >>Subject: [NSIS] new draft about security threats for the
> > NAT/firewall
> > >>NSLP
> > >>
> > >>
> > >>Dear all,
> > >>
> > >>after some discussions within the NAT/firewall NSLP team, 
> we decided 
> > >>to make a full analysis of the security threats for the 
> NAT/firewall 
> > >>NSLP before we continue.
> > >>
> > >>We submitted a new draft "Security Threats for the
> > NAT/Firewall NSLP".
> > >>
> > >>If you want to have a look at it before it becomes 
> available in the 
> > >>I-D repository, please have a look at:
> > >>
> > >>ftp://ftp.ccrle.nec.de/pub/internet-drafts/draft-fessi-nsis-na
> > >>tfw-threats-00.txt
> > >>
> > >>Comments are very welcome!!
> > >>Thanks,
> > >>Ali.
> > >>--
> > >>Ali Fessi
> > >>NEC Network Laboratories     Kurfürsten-Anlage 36, D-69115 
> > Heidelberg
> > >>Phone: (+49) 6221 9051151    Email: ali.fessi at netlab.nec.de
> > >>
> > >>
> > >>_______________________________________________
> > >>nsis mailing list
> > >>nsis at ietf.org
> > >>https://www1.ietf.org/mailman/listinfo/nsis
> > >>
> > >>    
> > >>
> > >
> > >
> > >  
> > >
> > 
> > 
> 
> _______________________________________________
> nsis mailing list
> nsis at ietf.org
> https://www1.ietf.org/mailman/listinfo/nsis
> 


_______________________________________________
nsis mailing list
nsis at ietf.org
https://www1.ietf.org/mailman/listinfo/nsis