Transcript PPT Version

Path-coupled NAT/Firewall
Signaling Security Problems
Unpublished Draft:
<draft-tschofenig-nsis-natfw-security-problems-00.txt>
Hannes Tschofenig
Acknowledgements
• The author has to thank
– Martin Stiemerling
– Cedric Aoun
– Richard Graveman
• for their time to discuss various issues.
Which Security Protection at Which Layer?
+------+
+------+
| NE |
| NE |
|+----+|
|+----+|
||NSLP||
NSLP Security
||NSLP||
|| 1 || - - - - - - - - - - - - - || 1 ||
|+----+|
|+----+|
| || |
| || |
|+----+|
NTLP Security
|+----+|
====||NTLP||============================||NTLP||====
|+----+|
|+----+|
+------+
+------+
• Claim: Reusing security providing at the lower layer
(GIMPS) between neighboring NAT/FW NSLPs is very
useful
Different Requirements for Different Parts of the Network
• Different communication models have been identified
(see for example "Security Threats for NSIS" draft)
• Different communication parts have different [security]
requirements
• Today's security protocols provide this flexibility
already.
• Claim: We should reuse them (instead of creating
something by our own)
Mobility, Sender Invariance, and
Authorization Problems
• We need to provide a solution for mobility environments.
• Authenticating the end host to each intermediate
NAT/Firewall is an option (but requires a huge
infrastructure)
• We have an authorization problem
(see Mobile IP MN <->CN Binding Update Problem)
• We are actually seeking for a property called "Sender
Invariance"
• Let us reuse things discussed a long time ago (e.g., PBK)
(see <draft-tschofenig-nsis-sid-00.txt>)
Dependencies among QoS, NAT, and
Firewall Signaling
• A dependency between NAT/Firewall signaling, QoS
signaling (and even with application layer protocols
exists
• Question: How much NAT traversal capability has to be
provided into each NSLP?
Security for NAT vs. Firewall Traversal
• Fact:
– Today a number of ways can be used to create NAT bindings
(for outgoing traffic).
– Examples: Plain data traffic, STUN, TURN
– Most of them DO NOT provide security
• Firewalls are often more security sensitive
• Exceptions: RESERVE mode and SPF
End-to-End Security
• There is some benefit in tying the application signaling and the
NSIS signaling together with the help of cryptographic
mechanisms.
• Problem I: Pure end-to-end security (without application layer
binding) for NSIS might be difficult to justify.
• Problem II: End-to-end security introduces its own problems
(deployment, proxy mode scenarios)
Asymmetry of Security Protocols
+---------------------+
+-----------------------+
| Network A
| Internet
|
Network B |
|
+---------+
+---------+
|
|
+---->+ NSIS
+------------->+ NSIS
+-----+
|
|
|
| Entity |
| Entity |
|
|
|
|
|
B
|
|
C
|
|
|
|
|
+---------+
+---------+
|
|
|
|
|
|
v
|
| +--+---+
|
|
+--+---+
|
| | NSIS |
|
|
| NSIS |
|
+--+Entity+-----------+
+------------+Entity+---+
| A
| TLS server
TLS client| D
|
+--+---+
+--+---+
^
|
|
v
+-----+-------+
+-----+-------+
| NSIS
| TLS
TLS
| NSIS
|
| Initiator X | client
server | Responder Y |
+-------------+
+-------------+
Offloading Authentication and Authorization
to a Third Party
• Issues: User authentication and authorization is done at a third party entity and
not at the firewall itself.
• This helps to keep credentials for user authentication and authorization
information central at a central entity.
• Partially address by:
Decision
– Cedric's Migration draft and by
Point
– Mailing list discussion with Dave
• This interaction is typical for the
QoS NSLP.
Request
Response
• Question: Is it also required for the
NAT/FW NSLP?
Entity requesting
creation of policy rule
CREATE
SUCCESS/FAILURE
NSIS
Firewall
Security for NAT/FW NSLP
• NAT/FW NSLP Security =
– NTLP security between neighboring nodes
– Additional NSLP security between non-neighboring nodes (Is
there some communality between all NSLPs?)
– Binding to application layer signaling (as suggested by
Cedric's Migration draft)
– Security mechanisms proposed in SID