RE: [NSIS] new draft about security threats for the NAT/firewall NSLP

[Martin Stiemerling <stiemerling at netlab.nec.de>]

--On Donnerstag, 10. Juni 2004 9:51 Uhr +0100 "Hancock, Robert" 
<robert.hancock at roke.co.uk> wrote:

| hi,
|
| i'll check if i understand correctly by asking
|
| Is this actually a generic threat which applies to
| any firewall configuration method where the network 'behind'
| the firewall uses any mechanism for dynamic address
| assignment (which could cause addresses to be
| re-assigned)?

Yes indeed it applies. For instance, with the use of MIDCOM between a SIP 
proxy and a middlebox in a mobile network, pinholes might be still open 
after the mobile node has moved and has been replace by another one.

The question in my mind with this type of scenarios: Is it not badly 
engineered when state remains in the network when a mobile node moves?  At 
least in the MIDCOM scenario the SIP proxy should now that the node has 
moved and close the pinholes immediately.

|
| If so, we should document it (in that form). It may
| not be specific to the NATFW NSLP; however, there
| may be deployment considerations related to it which
| could usefully be captured somewhere (in this case,
| I think it would be that there should be some
| interdependency between the soft-state lifetime of
| the address assignment mechanism and of the NATFW
| NSLP state management.)

The security risk should in fact be document and probably is already in the 
threats NATFW NSLP document (needs some refines though).

 Martin 

_______________________________________________
nsis mailing list
nsis at ietf.org
https://www1.ietf.org/mailman/listinfo/nsis