Security implications of Network Address Translators (NATs) (draft-gont-behave-nat-security) Fernando Gont Pyda Srisuresh UTN/FRH EMC Corporation 76th.

Slides:

Advertisements

Similar presentations

73rd IETF meeting, November 16-21, 2008

Advertisements

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

CCNA – Network Fundamentals

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.

CISCO NETWORKING ACADEMY PROGRAM (CNAP)

Chapter 7: Transport Layer

Chapter 7 – Transport Layer Protocols

An Overview of IPv6 Transition/Co-existence Technologies Fernando Gont UTN/FRH LACNOG 2010 Sao Paulo, Brazil, October 19-22, 2010.

Network Security. Reasons to attack Steal information Modify information Deny service (DoS)

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT

Port randomization (draft-ietf-tsvwg-port-randomization) Michael Larsen & Fernando Gont 73rd IETF Meeting, November 16-21, 2008 Minneapolis, MN, USA.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.

Stream Control Transmission Protocol 網路前瞻技術實驗室陳旻槿.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.

A Brief Taxonomy of Firewalls

Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

8: Network Security8-1 Security in the layers. 8: Network Security8-2 Secure sockets layer (SSL) r Transport layer security to any TCP- based app using.

SOCKS Group: Challenger Member: Lichun Zhan. Agenda Introduction SOCKS v4 SOCKS v5 Summary Conclusion References Questions.

IP Ports and Protocols used by H.323 Devices Liane Tarouco.

Firewalls. Evil Hackers FirewallYour network Firewalls mitigate risk Block many threats They have vulnerabilities.

Chapter 6: Packet Filtering

1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen

ICMP attacks against TCP draft-ietf-tcpm-icmp-attacks-01.txt Fernando Gont (UTN/FRH) 67 th IETF Meeting, San Diego, California, USA November 5-10, 2006.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 7: Transport Layer Introduction to Networking.

TCP/IP: Basics1 User Datagram Protocol (UDP) Another protocol at transport layer is UDP. It is Connectionless protocol i.e. no need to establish & terminate.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.

Transmission Control Protocol TCP. Transport layer function.

03/07/2005IETF 62, Minneapolis NAT requirements for TCP (BEHAVE WG) draft-sivakumar-behave-nat-tcp-req-00.txt S.Sivakumar, K.Biswas, B.Ford.

Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.

1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.

Transport Layer: TCP and UDP. Overview of TCP/IP protocols Comparing TCP and UDP TCP connection: establishment, data transfer, and termination Allocation.

TCP/IP Protocols Contains Five Layers

Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.

IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.

Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.

Company Confidential 1 ICMPv6 Echo Replies for Teredo Clients draft-denis-icmpv6-generation-for-teredo-00 behave, IETF#75 Stockholm Teemu Savolainen.

Network Address Translation External/ Internal/. OVERLOADING In Overloading, each computer on the private network is translated to the same IP address;

5 Firewalls in VoIP Selected Topics in Information Security – Bazara Barry.

1 Requirements for Internet Routers (Gateways) and Hosts Relates to Lab 3. (Supplement) Covers the compliance requirements of Internet routers and hosts.

Firewalls Original slides prepared by Theo Benson.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-1 Lesson 10 Attack Guards, Intrusion Detection, and Shunning.

Network Router Security Packeting Filtering. OSI Model 1.It is the most commonly refrenced protocol model. It provides common ground when describing any.

Page 12/9/2016 Chapter 10 Intermediate TCP : TCP and UDP segments, Transport Layer Ports CCNA2 Chapter 10.

1 Version 3.1 Module 10 Intermediate TCP/IP (Layer 4)

IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.

© 2002, Cisco Systems, Inc. All rights reserved..

TCP/IP1 Address Resolution Protocol Internet uses IP address to recognize a computer. But IP address needs to be translated to physical address (NIC).

Multi-addressed Multipath TCP draft-ford-mptcp-multiaddressed-02 Alan Ford Costin Raiciu, Mark Handley.

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

Guidelines for IPFIX Implementations on Middleboxes Juergen Quittek, Martin Stiemerling 59th IETF meeting, IPFIX WG.

Draft-ietf-behave-nat-00 NAT/Firewall Behavioral Requirements draft-ietf-behave-nat-00 François Audet - Cullen Jennings -

H.323 NAT Traversal Problem particular to H.323(RAS->Q.931->H.245):  RAS from private network to public network can pass NAT  Q931 、 H.245 adopts the.

Chapter 9 The Transport Layer The Internet Protocol has three main protocols that run on top of IP: two are for data, one for control.

HIP-Based NAT Traversal in P2P-Environments

Original slides prepared by Theo Benson

改良UDP洞穿技術設計物聯網通訊：以遠端門鈴監控系統為例 Improving UDP Hole Punching Technique For IoT Communications: A Remote Door-bell Monitoring System 報告時間28~32分佳楊凱勝指導教授：柯開維.

IT443 – Network Security Administration Instructor: Bo Sheng

Introduction to Networking

ND-Shield: Protecting against Neighbor Discovery Attacks

Multi-addressed Multipath TCP

TCP for DNS security considerations

The IP, TCP, UDP protocols

Request for Comments(RFC) 3489

Editors: Bala’zs Varga, Jouni Korhonen

Presentation transcript:

Security implications of Network Address Translators (NATs) (draft-gont-behave-nat-security) Fernando Gont Pyda Srisuresh UTN/FRH EMC Corporation 76th IETF meeting, November 8-13, 2009 Hiroshima, Japan

Overview Includes a number of requirements leading to a security-wise NAT implementations. Additionally includes requirements that allow the operation of security mechanisms through NATs. Initial version submitted in late 2008, and presented at the IETF 73 meeting (Minneapolis). Last revision: draft-gont-behave-nat-security-03  Document has been restructured  Lots of edits  Explicity states the requirements as “REQ-n”

Resilience to Denial of Service Attacks The document provides advice for leading with DoS attacks. Currently, it only addresses fragmentation “REQ-1: A NAT device capable of forwarding out-of- order IP fragments MUST take measures to protect itself against well-known IP fragment based attacks.”

Port reservation The document discusses issues that may arise when running applications on the NAT itself. “REQ-2: When a NAT device supports local applications on the device, it is RECOMMENDED that the NAT device reserves specific ports for local use, different from NAT use, so there is no overlap of ports between local use and NAT use. Doing this will ensure there is no possibility of cross session contamination between NAT sessions and local sessions.”

P2P communications Describes issues that may arise as a result of TCP/UDP hole punching “REQ-3: Applications attempting to establish peer-to- peer communication across NAT devices using TCP/UDP hole punching technique SHOULD employ relevant authentication mechanism to connect to their peers.” May remove this one (as a “REQ”), and just leave it as “information”.

Secure transport for end-hosts Aims at enabling the operation of security-related protocols through the NAT “REQ-4: A NAT device MUST permit the traversal of NAT compliant security protocols. Specifically, a NAT device MUST do the following. a. A NAT device MUST NOT block traffic directed to or coming from UDP port numbers 500 and b. A NAT device MUST NOT block traffic directed to or coming from TCP/UDP port number 443. c. A NAT device MUST NOT include an ALG that treats IKE packets or SSL/TLS packets differently than any other TCP/UDP packet.”

Implications of protocol header fields From the external realm, packets originated in the external real look as comming from the same system. Thus, hosts in the external realm expect in those packets the same properties as if they had been sent from a single system. Failure to comply with these requirements may introduce NEW (i.e., previously inexistent) INTEROPERABILITY problems.

IP Identification The tuple (SrcIP, DstIP, Protocol, IP ID) is not reused to quickly, or else there’s else the reassembled packet may be corrupted. “REQ-5: NATs MUST ensure that a tuple (SrcIP, DstIP, Protocol, IP ID) is not reused while there are still packets in the network with that tuple. Additionally, they SHOULD generate the IP Identification values such that they are not trivially predictable.”

TCP SEQ number and ACK number BSD-derived sytems (and others) recycle TCPs in the TIME-WAIT state if the ISNs are monotonically- increassing across connections. If a NAT does not ensure monotonically-increasing ISNs, connections through the NAT that would have otherwise succeeded might FAIL “REQ-6: A NAT MAY rewrite the TCP Sequence Number of packets forwarded to the external realm, such that all connection requests from to a TCP endpoint in the external realm result in monotonically-increasing Initial Sequence Numbers (ISNs). The ISN generator SHOULD select Initial Sequence Numbers such that it is difficult for an off-path attacker to predict the ISNs of future connections. If the NAT rewrites the Sequence Number of packets forwarded to the external realm, it MUST also rewrite the TCP Acknowledgement Number of packets being forwarded into the internal realm.”

TCP timestamps Same rationale as for rewriting the TCP Sequence Number and the TCP Acknowledgement number. “REQ-7: A NAT MAY rewrite the TCP timestamps option(TSval) of packets forwarded to the external realm, such that all connection requests from to a specific TCP endpoint in the external realm result in monotonically-increasing timestamps. The timestamps generator SHOULD be such such that it makes it difficult for an off-path attacker to predict the timestamps of future connections. If the NAT rewrites the TCP timestamp of packets forwarded to the external realm, it MUST also rewrite the TCP timestamp echo (TSecr) of packets forwarded from the external realm into the internal realm.”

Moving forward Any feeback will be appreciated TODO:  Address a number of other DoS attacks, as suggested off- list by Reinaldo Penno  Fix the missing REQ for the TCP Source Port Should this I-D be adopted as a BEHAVE WG item?