Transcript Security Threats for the NATFW NSLP

Security Threats for the
NATFW NSLP
draft-fessi-nsis-natfw-threats-01.txt
Fessi, Stiemerling, Thiruvengadam,
Tschofenig, Aoun
IETF 60
Overview
• Identifies threats to NATFW NSLP
 List different types of attacks
 Limited to NSLP issues only
• Gives security requirements, but no solutions for protocol
•
•
yet
Analysis based on draft-ietf-nsis-nslp-natfw-02.txt
Analysis covered all messages except:
 TRIGGER
 NOTIFY
 QUERY
Attacks analysed
•
•
•
•
•
Authentication and authorization
Denial of service
Man in the Middle
Message Modification
Session Hijacking
 Modification and deletion
• Misuse of unreleased NSLP sessions
• Eavesdropping and traffic analysis
• Data traffice modification
 Considered but not specific to NSLP only
Authorization and Authentication
• Example: Receiver behind Firewall
 NI is outside the protected network
CREATE
Data
Sender
(NI)
?
RESPONSE
CREATE
Firewall
(NF)
RESPONSE
Data
Receiver
(NR)
Protected Network
• Problems:
 Forwarding message from unknown host/firewall
 Possibly installing policy rules (spending resources)
 No way of binding authorization to IP addresses
(NAT!)
Conclusion
• Security threats analysed
• Security requirements given
• Further steps:
 Please READ and give comments
 Develop security solution for NATFW NSLP