[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [NSIS] new draft about security threats for the NAT/firewall

To: "Hancock, Robert" <robert.hancock at roke.co.uk>
Subject: RE: [NSIS] new draft about security threats for the NAT/firewall
From: Martin Stiemerling <stiemerling at netlab.nec.de>
Date: Tue, 22 Jun 2004 10:46:11 +0200
Cc: nsis at ietf.org
In-reply-to: <EA943CD30BCB104E9D38F5B5DC2D9A70019A064E@rsys004a.roke.co.uk>
List-help: <mailto:nsis-request@ietf.org?subject=help>
List-id: Next Steps in Signaling <nsis.ietf.org>
List-post: <mailto:nsis@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/nsis>, <mailto:nsis-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/nsis>, <mailto:nsis-request@ietf.org?subject=unsubscribe>
References: <EA943CD30BCB104E9D38F5B5DC2D9A70019A064E@rsys004a.roke.co.uk>
Sender: nsis-bounces at ietf.org

--On Dienstag, 22. Juni 2004 9:39 Uhr +0100 "Hancock, Robert" <robert.hancock at roke.co.uk> wrote:

| hi
|
|> | Superficially the problem seems soluble (and without necessarily
|> | protocol changes but with security considerations applying to
|> | the deployment), but I suspect there are tricky cases. Especially
|> | in the v6 case where stateless autoconf or 3041 addresses are
|> | being used ...
|>
|> I agree that there are countermeasures needed, but I don't
|> see a solution
|> how the NATFW NSLP can help avoiding this situation. We will
|> document it.
|>
|> As said before, the network might be badly engineered when
|> state is left
|> within the network when nodes move or they get renumbered.  For any
|> network, independent whether it uses NSIS or MIDCOM, some
|> entity should
|> take care about removing state from network nodes upon nodes
|> move or change
|> their address due to any other reason.  For MIDCOM the SIP
|> proxy should now
|> and remove the policy rules from the middlebox, and for NSIS
|> the AAA entity
|> or another policy decision point should do so.
|>
|>   Martin
|
| This is a possible approach, but I would suspect that it needs
| to be *very* clearly documented. Essentially what I think you
| are saying is that to deploy the NATFW NSLP safely, you have to
| do so in conjunction with deploying some external management
| entity which is responsible for cleaning up state in particular
| circumstances. But at the moment, the NATFW document doesn't even
| mention the requirement for such an entity (let alone discuss
| the interactions with it), which I think would be necessary.

Indeed, this part is missing in the NATFW document and the plan is to document and describe this first in the threats document. Later on this should be included into the NATFW document.

|
| (what do other people think? it's obviously a complex subject.)
|

Yep would be nice to hear other people's opinion!

Martin

_______________________________________________
nsis mailing list
nsis at ietf.org
https://www1.ietf.org/mailman/listinfo/nsis

References:
- RE: [NSIS] new draft about security threats for the NAT/firewall NSLP
  - From: Hancock, Robert

Prev by Date: RE: [NSIS] new draft about security threats for the NAT/firewall NSLP
Next by Date: [NSIS] NATFW NSLP: Blocking unwanted traffic
Previous by thread: RE: [NSIS] new draft about security threats for the NAT/firewall NSLP
Next by thread: RE: [NSIS] new draft about security threats for the NAT/firewall NSLP
Index(es):
- Date
- Thread