Presentation is loading. Please wait.

Presentation is loading. Please wait.

IETF 80 th 1 Analysis of Solution Candidates to Reveal the Origin IP Address in Shared Address Deployments draft-boucadair-intarea-nat-reveal-analysis-01.

Published byAusten Ramsey Modified over 8 years ago

Similar presentations

Presentation on theme: "IETF 80 th 1 Analysis of Solution Candidates to Reveal the Origin IP Address in Shared Address Deployments draft-boucadair-intarea-nat-reveal-analysis-01."— Presentation transcript:

1 IETF 80 th 1 Analysis of Solution Candidates to Reveal the Origin IP Address in Shared Address Deployments draft-boucadair-intarea-nat-reveal-analysis-01 (INTAREA WG, BEHAVE WG) IETF 80-Prague, March 2011 M. Boucadair, J. Touch, P. Levis and R. Penno

2 IETF 80 th 2 Agenda Reminder about some address sharing issues Why Host_ID is needed? How to insert a HOST_ID? Solution analysis Next steps

3 IETF 80 th 3 IPv4 Service Continuity Public IPv4 address will be exhausted soon Need to rationalize the use of IPv4 addresses Hi H1 H2 Service Provider Domain Public IPv4 address Service Providers won’t be able to assign individual public IPv4 address to their customers anymore H1 H2 Hi Service Provider Domain Means to ensure service continuity is a MUST… Service 1 and…Interconnection means between heterogeneous realms MUST be supported to ensure global connectivity But… IPv6 Hj Customers base growth should not be hindered

4 IETF 80 th 4 NAT-based Address Sharing CGN H1 H2 H Service Provider Domain Src IP@= IP1 Src IP@= IP2 Src IP@= IP3 Src IP@= IPext1 The internal and the external IP addresses may be of distinct address families (e.g., IPv4, IPv6): NAT44 or NAT64 CPE

5 IETF 80 th 5 NAT-based Address Sharing CGN H1 H2 H Service Provider Domain Src IP@= IP1 Src IP@= IP2 Src IP@= IP3 Blacklisting a misbehaving user: The server relies on the source IP address CPE S Server Src IP@= IPext1 When a misbehavior is detected, S adds IPext1 to a blacklist Src IP@= IPext1 Access is denied All subscribers using the same address will be impacted: Loss of users for the content providers, calls to the hotline for the IP Network Provider ($$/mn, OPEX loss for the ISP) and unsatisfied customers BL IPext1

6 IETF 80 th 6 NAT-based Address Sharing CGN H1 H2 H Service Provider Domain Src IP@= IP1 Src IP@= IP2 Src IP@= IP3 Infected machine traffic redirection is based on the source IP address CPE S Server Src IP@= IPext1 When a warm is detected, flows are redirected Src IP@= IPext1 RS A more exhaustive list of issues are identified in I-D.ietf-intarea-shared-addressing-issues All subscribers using the same address will be impacted: Difficult to troubleshoot, calls to the hotline for the IP Network Provider ($$/mn, OPEX loss for the ISP) and unsatisfied customers Redirected to a dedicated server

7 IETF 80 th 7 Generalizing the issue Observation –Today, servers use the source IPv4 address as an identifier to treat some incoming connections differently –Tomorrow, because this address is shared, the server does not know which host is the sending host Objective –The server should be able to sort out the packets by sending host (not only based on the source IP @) Requirement –The server must have extra information than the source IP address to differentiate the sending host: We call HOST_ID this information

8 IETF 80 th 8 HOST_ID: Rationale What is the HOST_ID? –It must be unique to each user under the same address –Adding a HOST_ID does not “break” the privacy of the user, it reveals the same information as the source IP address when there is not CGN in the path –E.g., first bits of an IPv6 address, private IPv4 address, etc. Who puts the HOST_ID? –The address sharing function injects the HOST_ID when it translates IP packets –The CPE can put the identification in the packet and the CGN checks it instead of doing the actual writing. The performance impact would be distributed/shared between CPE and CGN Where is the HOST_ID? –If the HOST_ID is put at the IP level, all packets will have to bear the identifier –If it is put at a higher connection-oriented level, the identifier is only needed once in the session establishment phase for instance TCP three-way-handshake

9 IETF 80 th 9 NAT-based Address Sharing (revisited) CGN H1 H2 H Service Provider Domain Src IP@= IP1 Src IP@= IP2 Src IP@= IP3 Blacklisting a misbehaving user: The server relies on the source IP address & HOST_ID CPE S Server Src IP@= IPext1 When a misbehavior is detected, S updates its blacklisted users Src IP@= IPext1 Access is granted BL (IPext1, HID1) Injects HOST_ID: HID1Injects HOST_ID: HID2 The server needs to be updated to: (1) be able to extract the HOST_ID, (2) Enforce policies based on the HOST_ID, (3) log the HOST_ID

10 IETF 80 th 10 Solutions to reveal the HOST_ID UDPTCPHTTP Encrypted traffic Success Ratio Possible performance impact Modify OS TCP/IP stack is needed (*) DeployableNotes IP Option Yes 30%HighYes TCP Option NoYes 99%Med to HighYes IP-ID Yes 100%Low to MedYes 1 HTTP Header (XFF) No YesNo100%Med to HighNoYes2 Proxy Protocol NoYes LowHighNo Port Set Yes 100%NANoYes1,3 HIP LowNA--No4,5 (1)Requires mechanism to advertise NAT is participating in this scheme (e.g., DNS PTR record) (2)This solution is widely deployed (3)When the port set is not advertised, the solution is less efficient. (4)Requires the client and the server to be HIP-compliant and HIP infrastructure to be deployed (5)If the client and the server are HIP-enabled, the address sharing function does not need to insert a user-hint. If the client is not HIP-enabled, designing the device that performs address sharing to act as a UDP/TCP-HIP relay is not viable. IP option, IP ID and Proxy Protocol are broken XFF is largely deployed in operational networks but still the address sharing function needs to parse all applications messages HIP is not “widely” deployed Port Set requires coordination TCP Option is superior to XFF since it is not specific to HTTP but what about UDP? Update the Servers OS TCP/IP is required (*) Server side

11 IETF 80 th 11 What to do with this analysis? Recommend a solution? –Of course, individual solutions needs to discuss potential impact on performance, mis-usage of the solution to reveal other “sensitive” information, etc. Add a conclusion to say: “IETF has documented the issues and has analyzed solution candidates but IETF believes CGN should stay “evil””? –Risk of emergence of proprietary solutions Add a statement to say: “IPv6 will solve this?” –Yes, this is a strong signal but this does not mitigate the service brokenness to be encountered by subscribers when address sharing will be deployed at large –The issues are also valid for NAT64

12 IETF 80 th 12 Next steps? Please advise

Download ppt "IETF 80 th 1 Analysis of Solution Candidates to Reveal the Origin IP Address in Shared Address Deployments draft-boucadair-intarea-nat-reveal-analysis-01."

Similar presentations

SIP, Firewalls and NATs Oh My!. www.dynamicsoft.com SIP Summit 2001 5.01.01 SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.

SIP, Firewalls and NATs Oh My!. SIP Summit SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.
Deployment Considerations for Dual-stack Lite IETF 80 Prague Yiu Lee, Roberta Magione, Carl Williams, Christian Jacquenet Mohamed Boucadair.

Deployment Considerations for Dual-stack Lite IETF 80 Prague Yiu Lee, Roberta Magione, Carl Williams, Christian Jacquenet Mohamed Boucadair.
CST 415 - Computer Networks NAT CST 415 4/10/2017 CST 415 - Computer Networks.

CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Network Address Translation for IPv4  Connecting.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Network Address Translation for IPv4  Connecting.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Lecture15: Network Address Translation for IPv4 Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Lecture15: Network Address Translation for IPv4 Connecting Networks.
1 Teredo - Tunneling IPv6 through NATs Date: 2003-10-31 Speaker: Quincy Wu National Chiao Tung University.

1 Teredo - Tunneling IPv6 through NATs Date: Speaker: Quincy Wu National Chiao Tung University.
Some Observations on CGNs Geoff Huston Chief Scientist APNIC.

Some Observations on CGNs Geoff Huston Chief Scientist APNIC.
Deployment Considerations for Dual-stack Lite draft-lee-softwire-dslite-deployment-00 Yiu Lee, Roberta Magione, Carl Williams, Christian Jacquenet Mohamed.

Deployment Considerations for Dual-stack Lite draft-lee-softwire-dslite-deployment-00 Yiu Lee, Roberta Magione, Carl Williams, Christian Jacquenet Mohamed.
H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.

H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.
1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.
COM555: Mobile Technologies Location-Identifier Separation.

COM555: Mobile Technologies Location-Identifier Separation.
1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)

1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
NAT (Network Address Translator) Atif Karamat In the name of God the most merciful and the most compassionate.

NAT (Network Address Translator) Atif Karamat In the name of God the most merciful and the most compassionate.
CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.

CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.
Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.

Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.
Circuit & Application Level Gateways CS-431 Dick Steflik.

Circuit & Application Level Gateways CS-431 Dick Steflik.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)
Section 461.  ARP  Ghostbusters  Grew up in Lexington, KY  Enjoy stargazing, cycling, and mushroom hunting  Met Mario once (long time ago)

Section 461.  ARP  Ghostbusters  Grew up in Lexington, KY  Enjoy stargazing, cycling, and mushroom hunting  Met Mario once (long time ago)

Similar presentations

Ads by Google