[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Merge NAT-PT approaches?

To: Iljitsch van Beijnum <iljitsch@muada.com>
Subject: Re: Merge NAT-PT approaches?
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Date: Sun, 30 Dec 2007 09:04:09 +1300
Cc: marcelo bagnulo braun <marcelo@it.uc3m.es>, IPv6 Operations <v6ops@ops.ietf.org>
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=IVkF7iO/h/+gqtOIa9n3bQ1CwGaxZtia47Xfr0qFS6JHwr0BwWOndh5f71g6AJnMeWAO1K3OO1b6kdd+zINsvZCYZ7esBMZv5bkezL7RB7QtdzrwyUwlLMfbA5Rw6pLb+vXMgpCLPa9sczjdv5QdBN3vontG5vJd8NBXryS2Y/8=
In-reply-to: <BB8E4BFA-7BD1-4C95-A22C-A93868BBE30C@muada.com>
Organization: University of Auckland
References: <A720A931-C3D2-42EA-AE52-B9966F6A79A4@muada.com> <476B373F.8040108@gmail.com> <1C7D9DD9-F803-4C2A-9EBC-34C05CC858A9@muada.com> <D0300F4B-B37E-4635-B7DA-055DBFC9538B@it.uc3m.es> <BB8E4BFA-7BD1-4C95-A22C-A93868BBE30C@muada.com>
User-agent: Thunderbird 2.0.0.6 (Windows/20070728)

On 2007-12-29 07:05, Iljitsch van Beijnum wrote:

On 28 dec 2007, at 15:43, marcelo bagnulo braun wrote:
I don't think reusing parts from shim6 makes a lot of sense forauthentication. There are already several datagram basedauthentication mechanisms, and they can get quite complex. If a hostneeds to authenticate towards a NAT-PT translator, it would be muchsimpler to set up a TLS-protected TCP session and then do simpleuser/password authentication.
i think this depends on the application scenario that the mechanism isdesigned to work on. Having TLS + user/password may be ok for somescenarios, but you need to provision the tls certs and the user andpassword, which may be ok for some application cases and not so ok forothers. So i would suggest we first figure out which is theapplication scenario where the mechanisms is supposed to work on, thenwe figure out the threats and then try to work on security tools for that
I'm assuming a relatively simple model where users have their packetstranslate by a NAT-PT translator that is outside their own network ortheir ISP's network.


s/is/may be/ ?

Since it would obviously be problematic to acceptand translate packets from the entire internet, we need some simpleauthentication.
This would be very similar to IMAP or POP authentication in the presenceof TLS: the TLS itself isn't part of the authentication but is only usedto make sure that the password travels over the network encrypted. Intheory certificates could be a complication, but in practice, all hoststhat come with a web browser already have a bunch of root certificatesso this isn't much of an issue.
I don't think we need strong security as in IPsec for the data packets,but if someone else knows a reason why we do, I'm listening.


I agree with Iljitsch on this. We need to defend "new NAT-PT"
against threats that it creates, which are essentially exploits of
any signaling between the host and the translator. There's no
point in defending it against generic threats such as injection
of bogus packets.

   Brian

Follow-Ups:
- Re: Merge NAT-PT approaches?
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>

References:
- Re: Merge NAT-PT approaches?
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: Merge NAT-PT approaches?
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>
- Re: Merge NAT-PT approaches?
  - From: Iljitsch van Beijnum <iljitsch@muada.com>

Prev by Date: Re: IPv6 broadband provisioning
Next by Date: Re: IPv6 broadband provisioning
Previous by thread: Re: Merge NAT-PT approaches?
Next by thread: Re: Merge NAT-PT approaches?
Index(es):
- Date
- Thread