[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [NSIS] new draft about security threats for the NAT/firewall NSLP

The issues described herein relates to the so-called 3GPP overbilling attack, isn't it?

The described scenario is indeed a problem, but do you see a solution to this problem that can be provided by NATFW NSLP?

Thanks,

 Martin

--On Montag, 7. Juni 2004 9:08 Uhr -0500 Franck.Le at nokia.com wrote:

| Hi Hannes,
|
| Thank you for your comments.
|
| In addition to the potential threat discussed below, I was wondering if
| the following scenario, which does not seem to be described in the draft,
| may represent another threat or not:
|
| An external node in the Internet (node 1) may send a Create message to a
| node (node 2) protected by a firewall. Node 2 may reply with a Path
| Succeeded that will create the rules in the firewall (or vice versa i.e.
| node 2 sends the Create message and node 1 replies with the Path
| Succeeded message).
|
| Node 2 may then disconnect from the network (e.g. for mobility reasons,
| or deliberately) without sending a Delete message.
|
| The pinholes may therefore remain in the firewall until the expiration
| time which may be long.
|
| If a node (node 3) arrives in the network protected by the firewall, it
| may be assigned the IP address previously allocated to node 2. The
| external node (node 1) may then take advantage of the pinholes in the
| firewall to flood node 3, or launch other attacks against node 3,
| depending on the installed firewall rules.
|
| Would you agree that this scenario can represent a threat?
| Should it also be documented?
|
| Franck
|
|> -----Original Message-----
|> From: ext Hannes Tschofenig [mailto:Hannes.Tschofenig at siemens.com]
|> Sent: 30 May, 2004 02:42 PM
|> To: Le Franck (Nokia-NRC/Dallas); ali.fessi at netlab.nec.de
|> Cc: nsis at ietf.org
|> Subject: RE: [NSIS] new draft about security threats for the
|> NAT/firewall NSLP
|>
|>
|> hi franck,
|>
|> you are right with your observation that we have envisioned
|> scenarios where
|> the nsis nat/firewall signaling message needs to traverse the
|> firewall to
|> allow both endpoints to authorize the creation of policy rules. this
|> circumstance might be exploited for the attack you mentioned.
|>
|> regarding your reference to the "3GPP2 Network Firewall
|> Configuration and
|> Control specification" document. i remember that this
|> document focused on
|> scenarios which go beyond the functionality currently offered
|> by the current
|> nat/fw nslp specification. it might be useful to see where
|> nsis could be
|> helpful.
|>
|> ciao
|> hannes
|>
|> > -----Original Message-----
|> > From: Franck.Le at nokia.com [mailto:Franck.Le at nokia.com]
|> > Sent: Samstag, 29. Mai 2004 00:00
|> > To: ali.fessi at netlab.nec.de
|> > Cc: nsis at ietf.org
|> > Subject: RE: [NSIS] new draft about security threats for the
|> > NAT/firewall NSLP
|> >
|> > Hello Ali,
|> >
|> > Thank you for your reply.
|> >
|> > I agree with you that a malicous node who wants to exhaust
|> > the battery and the network resources of a victim can use any
|> > type of traffic to flood the victim. Most firewalls typically
|> > block incoming unsolicited data in order to avoid such threat.
|> > (Unsolicited messages can actually create more damages in
|> > cellular networks as outlined in the 3GPP2 Network Firewall
|> > Configuration and Control specification).
|> >
|> > The natfw-nslp, on the contrary, require firewalls to forward
|> > the nslp messages.
|> > Such requirement may therefore open the door for flooding.
|> > Since this requirement is specific of natfw-nslp and because
|> > of such requirement, this type of attack is possible, I was
|> > thinking it could useful to report the threat in the
|> > "Security Threats for the NAT/Firewall NSLP" draft or at
|> > least in the security consideration of the "NAT/Firewall NSIS
|> > Signaling Layer Protocol (NSLP)" draft.
|> >
|> > Would you agree?
|> >
|> > Franck
|> >
|> > > -----Original Message-----
|> > > From: ext Ali Fessi [mailto:ali.fessi at netlab.nec.de]
|> > > Sent: 28 May, 2004 02:13 PM
|> > > To: Le Franck (Nokia-NRC/Dallas)
|> > > Cc: nsis at ietf.org
|> > > Subject: Re: [NSIS] new draft about security threats for the
|> > > NAT/firewall NSLP
|> > >
|> > >
|> > > Hi Franck,
|> > >
|> > > thanks for reading the draft and thanks for your feedback.
|> > >
|> > > We focused the draft on the way how unauthorized users
|> > could use the
|> > > natfw-nslp to install policy rules for their advantage,
|> > since this is
|> > > our main concern.
|> > >
|> > > About the threat that you suggested: i think it is not
|> specific for
|> > > the natfw-nslp. You could flood the victim with any kind of data
|> > > traffic if you want to exhaust his battery or the
|> resources of his
|> > > access network.
|> > > i don't think that this threat fits well in the document.
|> > >
|> > > ciao, Ali.
|> > > --
|> > > Ali Fessi
|> > > NEC Network Laboratories     Kurfürsten-Anlage 36, D-69115
|> > Heidelberg
|> > > Phone: (+49) 6221 9051151    Email: ali.fessi at netlab.nec.de
|> > >
|> > >
|> > > Franck.Le at nokia.com wrote:
|> > >
|> > > > Hello,
|> > > >
|> > > > Thank you for the internet draft. It is a good document that
|> > > can be helpful when designing the security solutions for
|> the NAT/FW
|> > > NSLP. Many of the threats have been identified and described. The
|> > > following one is however not mentioned but might be relevant: The
|> > > NAT/FW NSLP requiring firewalls to forward NSLP messages, a
|> > malicious
|> > > node may keep sending NSLP messages to a target. This may
|> > consume the
|> > > access network resources of the victim, drain the battery of the
|> > > victim's terminal and may force the victim to pay for the
|> received
|> > > although undesired requests (especially in cellular networks).
|> > > >
|> > > > Would you agree with this threat? Should it be included in
|> > > the document as well?
|> > > >
|> > > > Thank you,
|> > > >
|> > > > Franck
|> > > >
|> > > >
|> > > >
|> > > >
|> > > >
|> > > >> -----Original Message-----
|> > > >> From: nsis-bounces at ietf.org
|> > > [mailto:nsis-bounces at ietf.org]On Behalf Of
|> > > >> ext Ali Fessi
|> > > >> Sent: 25 May, 2004 11:56 AM
|> > > >> To: nsis at ietf.org
|> > > >> Cc: Martin Stiemerling; Tschofenig Hannes
|> > > >> Subject: [NSIS] new draft about security threats for the
|> > > NAT/firewall
|> > > >> NSLP
|> > > >>
|> > > >>
|> > > >> Dear all,
|> > > >>
|> > > >> after some discussions within the NAT/firewall NSLP team,
|> > we decided
|> > > >> to make a full analysis of the security threats for the
|> > NAT/firewall
|> > > >> NSLP before we continue.
|> > > >>
|> > > >> We submitted a new draft "Security Threats for the
|> > > NAT/Firewall NSLP".
|> > > >>
|> > > >> If you want to have a look at it before it becomes
|> > available in the
|> > > >> I-D repository, please have a look at:
|> > > >>
|> > > >> ftp://ftp.ccrle.nec.de/pub/internet-drafts/draft-fessi-nsis-na
|> > > >> tfw-threats-00.txt
|> > > >>
|> > > >> Comments are very welcome!!
|> > > >> Thanks,
|> > > >> Ali.
|> > > >> --
|> > > >> Ali Fessi
|> > > >> NEC Network Laboratories     Kurfürsten-Anlage 36, D-69115
|> > > Heidelberg
|> > > >> Phone: (+49) 6221 9051151    Email: ali.fessi at netlab.nec.de
|> > > >>
|> > > >>
|> > > >> _______________________________________________
|> > > >> nsis mailing list
|> > > >> nsis at ietf.org
|> > > >> https://www1.ietf.org/mailman/listinfo/nsis
|> > > >>
|> > > >>
|> > > >>
|> > > >
|> > > >
|> > > >
|> > > >
|> > >
|> > >
|> >
|> > _______________________________________________
|> > nsis mailing list
|> > nsis at ietf.org
|> > https://www1.ietf.org/mailman/listinfo/nsis
|> >
|>
|>
|
| _______________________________________________
| nsis mailing list
| nsis at ietf.org
| https://www1.ietf.org/mailman/listinfo/nsis



_______________________________________________
nsis mailing list
nsis at ietf.org
https://www1.ietf.org/mailman/listinfo/nsis