[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [NSIS] new draft about security threats for the NAT/firewall NSLP

To: "Hancock, Robert" <robert.hancock at roke.co.uk>
Subject: RE: [NSIS] new draft about security threats for the NAT/firewall NSLP
From: Martin Stiemerling <stiemerling at netlab.nec.de>
Date: Tue, 22 Jun 2004 10:26:32 +0200
Cc: nsis at ietf.org
In-reply-to: <002d01c457c9$677f5e60$0402a8c0@comm.ad.roke.co.uk>
List-help: <mailto:nsis-request@ietf.org?subject=help>
List-id: Next Steps in Signaling <nsis.ietf.org>
List-post: <mailto:nsis@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/nsis>, <mailto:nsis-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/nsis>, <mailto:nsis-request@ietf.org?subject=unsubscribe>
References: <002d01c457c9$677f5e60$0402a8c0@comm.ad.roke.co.uk>
Sender: nsis-bounces at ietf.org


|>
|> |
|> | If so, we should document it (in that form). It may
|> | not be specific to the NATFW NSLP; however, there
|> | may be deployment considerations related to it which
|> | could usefully be captured somewhere (in this case,
|> | I think it would be that there should be some
|> | interdependency between the soft-state lifetime of
|> | the address assignment mechanism and of the NATFW
|> | NSLP state management.)
|>
|> The security risk should in fact be document and probably is
|> already in the
|> threats NATFW NSLP document (needs some refines though).
|
| I checked draft-fessi-nsis-natfw-threats-00, and I don't think
| I see it there. The key aspect is the assignment of the old
| address of the DR to a new node, without cleaning up state
| associated with that old address.

I have checked again and you are right, this section needs a new subsection describing this attack.

|
| As a general point, I don't think this problem is specific to
| the mobile case (it may become more severe in the mobile case,
| but address re-assignment can take place all the time for many
| reasons). What I think is needed is some mechanism in the NAT/FW
| which is aware of the address lifetime and reallocation mechanism,
| and which can either
| a) limit the lifetime of the installed state to the lifetime
| of the address, or
| b) do state cleanup if the address is reallocated.
|
| Superficially the problem seems soluble (and without necessarily
| protocol changes but with security considerations applying to
| the deployment), but I suspect there are tricky cases. Especially
| in the v6 case where stateless autoconf or 3041 addresses are
| being used ...

I agree that there are countermeasures needed, but I don't see a solution how the NATFW NSLP can help avoiding this situation. We will document it.

As said before, the network might be badly engineered when state is left within the network when nodes move or they get renumbered. For any network, independent whether it uses NSIS or MIDCOM, some entity should take care about removing state from network nodes upon nodes move or change their address due to any other reason. For MIDCOM the SIP proxy should now and remove the policy rules from the middlebox, and for NSIS the AAA entity or another policy decision point should do so.

 Martin


_______________________________________________
nsis mailing list
nsis at ietf.org
https://www1.ietf.org/mailman/listinfo/nsis

References:
- RE: [NSIS] new draft about security threats for the NAT/firewall NSLP
  - From: Hancock, Robert

Prev by Date: RE: [NSIS] 3.2.2 in draft-ieft-nsis-nslp-natfw-02.txt
Next by Date: RE: [NSIS] new draft about security threats for the NAT/firewall NSLP
Previous by thread: RE: [NSIS] new draft about security threats for the NAT/firewall NSLP
Next by thread: RE: [NSIS] new draft about security threats for the NAT/firewall NSLP
Index(es):
- Date
- Thread