RE: [NSIS] new draft about security threats for the NAT/firewall NSLP

[Franck.Le at nokia.com]

Hello Martin,

> | The natfw-nslp, on the contrary, require firewalls to 
> forward the nslp
> | messages. Such requirement may therefore open the door for flooding.
> | Since this requirement is specific of natfw-nslp and because of such
> | requirement, this type of attack is possible, I was 
> thinking it could
> | useful to report the threat in the "Security Threats for 
> the NAT/Firewall
> | NSLP" draft or at least in the security consideration of the
> | "NAT/Firewall NSIS Signaling Layer Protocol (NSLP)" draft.
> |
> | Would you agree?
> 
> I agree that this attack is a serious one and that this attack is 
> considered since a long time.  Actually, I think that section 
> 4.1 of the 
> security threats document describes such type of attack. Or 
> is this section 
> insufficient in describing so?

Section 4.1 (Flooding with 'create session' messages from outside) describes three threats:

1) Attacks due to NSLP state: For each of these messages the middlebox needs to store state information such as the policy rules to be loaded, i.e. the middlebox could run out of memory.

2) Attacks due to authentication complexity: This kind of attack is possible if authentication is based on mechanisms that require computing power e.g. digital signatures.

3) Attacks to the NTLP.

These attacks seem to be different than the one discussed. The target, as well as the damages seem to differ.
In the threat discussed, the victim is the end point. Also the undesired effects are consumption of the access link bandwidth, shorter battery lifetime. Would you agree?

I agree that section 4.1 is where the threat should be described, but it does not seem to be presented yet. If you want, I can try to provide you with some text,

Thank you,

Franck

_______________________________________________
nsis mailing list
nsis at ietf.org
https://www1.ietf.org/mailman/listinfo/nsis