[159818] in North American Network Operators' Group
Re: CGN fixed/hashed nat question
daemon@ATHENA.MIT.EDU (William Herrin)
Wed Jan 23 08:22:45 2013
In-Reply-To: <078d01cdf8ea$d280bb20$77823160$@cisco.com>
From: William Herrin <bill@herrin.us>
Date: Wed, 23 Jan 2013 08:22:06 -0500
To: Dan Wing <dwing@cisco.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, Jan 22, 2013 at 4:52 PM, Dan Wing <dwing@cisco.com> wrote:
> draft-donley-behave-deterministic-cgn provides that functionality in
> an attempt to help randomize ports (see RFC6056). However, because
> the ports are fixed and there are relatively few ports, an attacker
> can determine the ports by causing the victim to open a bunch
> of TCP connections. This can be done by a bunch of "img src" tags
> in an HTML-encoded email message, among other mechanisms. If the
> hashing causes no logging, it creates a new requirement for a strong
> audit trail of the CGN configuration.
I thought this was desirable behavior for a CGN since effective port
prediction facilitates p2p nat traversal?
Bear in mind that Windows XP uses a dynamic port range between 1024
and 5000 and allocates them linearly. Small range and trivially
predictable. Were it practical to use this knowledge for much more
than denial of service I tend to think we'd have noticed by now.
Regards,
Bill Herrin
--
William D. Herrin ................ herrin@dirtside.com bill@herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
