[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [NSIS] new draft about security threats for the NAT/firewall NSLP

To: <stiemerling at netlab.nec.de>, <ali.fessi at netlab.nec.de>
Subject: RE: [NSIS] new draft about security threats for the NAT/firewall NSLP
From: Franck.Le at nokia.com
Date: Tue, 6 Jul 2004 11:10:11 -0500
Cc: nsis at ietf.org
List-help: <mailto:nsis-request@ietf.org?subject=help>
List-id: Next Steps in Signaling <nsis.ietf.org>
List-post: <mailto:nsis@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/nsis>, <mailto:nsis-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/nsis>, <mailto:nsis-request@ietf.org?subject=unsubscribe>
Sender: nsis-bounces at ietf.org
Thread-index: AcRgF5vZIuF/3UNsSeWf/8QbfyjPwgDW1EFw
Thread-topic: [NSIS] new draft about security threats for the NAT/firewall NSLP

Hello Martin,

Please find some possible text describing the attack that we discussed.
If you think that the threat should be further detailed, please let me know.

"Denial of Service attacks to the End Points:

The NAT/FW NSLP requiring firewalls to forward the NSLP messages, a malicious node may keep sending NSLP messages to a target. This may consume the access network resources of the victim, drain the battery of the victim's terminal and may force the victim to pay for the received although undesired data.

This threat may more particularly be relevant in networks where access link is a limited resource (e.g. cellular networks) and where the terminal capacities are limited."

As an editorial suggestion, may be we could describe the threats of section 4 that affects the middle boxes, and the ones that are targeted towards the end point in different subsections to make it clearer. What do you think?

Franck

> -----Original Message-----
> From: ext Martin Stiemerling [mailto:stiemerling at netlab.nec.de]
> Sent: 02 July, 2004 04:31 AM
> To: Le Franck (Nokia-NRC/Dallas); ali.fessi at netlab.nec.de
> Cc: nsis at ietf.org
> Subject: RE: [NSIS] new draft about security threats for the
> NAT/firewall NSLP
> 
> 
> 
> [...]
> |
> | Section 4.1 (Flooding with 'create session' messages from outside)
> | describes three threats:
> |
> | 1) Attacks due to NSLP state: For each of these messages 
> the middlebox
> | needs to store state information such as the policy rules 
> to be loaded,
> | i.e. the middlebox could run out of memory.
> |
> | 2) Attacks due to authentication complexity: This kind of attack is
> | possible if authentication is based on mechanisms that 
> require computing
> | power e.g. digital signatures.
> |
> | 3) Attacks to the NTLP.
> |
> | These attacks seem to be different than the one discussed. 
> The target, as
> | well as the damages seem to differ. In the threat 
> discussed, the victim
> | is the end point. Also the undesired effects are consumption of the
> | access link bandwidth, shorter battery lifetime. Would you agree?
> |
> | I agree that section 4.1 is where the threat should be 
> described, but it
> | does not seem to be presented yet. If you want, I can try 
> to provide you
> | with some text,
> 
> 
> That would be great if you could provide text on this!
> 
> Thanks,
> 
>   Martin 
> 

_______________________________________________
nsis mailing list
nsis at ietf.org
https://www1.ietf.org/mailman/listinfo/nsis

Follow-Ups:
- RE: [NSIS] new draft about security threats for the NAT/firewall NSLP
  - From: Martin Stiemerling

Prev by Date: [NSIS] Proposed changes to the NATFW NSLP
Next by Date: RE: [NSIS] New NATFW NSLP I-D: draft-ieft-nsis-nslp-natfw-02.txt
Previous by thread: RE: [NSIS] new draft about security threats for the NAT/firewall NSLP
Next by thread: RE: [NSIS] new draft about security threats for the NAT/firewall NSLP
Index(es):
- Date
- Thread