Re: CGNAT

2017-04-08 Thread Ed Lopez 
A lot depends on the CGNAT features you are looking to support, some
considerations:

- Are you looking for port block allocation for bulk logging, where a given
subscriber is given a block of source TCP/UDP ports on a translated IP
address
- How many translations and session rate are you looking to support
- Do you require Port Control Protocol (PCP) support for inbound pinholing
reservations?  Do your subscribers support uPnP to PCP translation?
- Are you looking to support RFC 6598 (carrier use of 100.64.0.0/10 for
CGNAT)?
- Are you looking to support DS-Lite (RFC 6333) or lw4o6 (RFC 7596)?  Both
have significantly different requirements relative to CGNAT (DS-Lite
assumes translation of subscriber RFC 1918 addresses tracking their IPv6
address in the translation table, lw4o6 assumes translation from RFC 1918
to RFC 6598 at the subscriber/B4 prior to IPv6 encapsulation plus
translation of RFC 6598 to public at the CGNAT/AFTR)

Generally, I tend to recommend F5 BIG-IP from a CGNAT feature standpoint

- Ed

On Fri, Apr 7, 2017 at 1:48 PM, Aaron Gould  wrote:

> Thanks Rich, you bring up some good points.  Yes it would seem that an
> attack aimed at a target IP address would in-fact now have a greater
> surface
> since that IP address is being used by many people.  When we
> remotely-trigger-black-hole (RTBH) route an ip address (/32 host route)
> into
> a black hole to stop an attack you're right, now you've completed the
> ddos, not only for one customer, but hundreds or thousands that were using
> that public ip address through the NAT appliance.  ...to which I've told my
> NOC to not act on any of the /24's-worth of address space the we use for
> NAT.
>
> Interestingly, the nature of NAT is that it doesn't allow in-bound traffic
> unless a previous out-bound packet had been sent from customer-side to
> internet-side and caused the NAT translation to be built therefore, an
> outside-initiated DDoS attack would be automatically blocked by a NAT
> boundary*.  This would cause the DDoS to not go as far as it did in the
> non-nat scenario.   ...so with cgnat you've caused your reach of DDoS to be
> shortened.  ...but of course this doesn't cause the DDoS to not occur and
> to
> not reach the NAT boundary...the attack still arrives.  You have to
> continue
> with other layers of security, defense and mitigation in other areas/layers
> of your network.
>
> - Aaron
>
> * (I guess unless they were able to guess-spoof the exact ip address and
> port number of an existing nat session, but then it would seem that they
> would only reach that same port-address-translated session
> destination...which I think would be a single ip address endpoint and port
> number)
>
>
>


-- 

*Ed Lopez* | *Security Architect*
ed.lo...@corsa.com |11 Hines Rd (suite 203) | Ottawa, Ontario K2K 2X1 Canada
Mobile +1.703.220.0988  | www.corsa.com

*Provide line-rate mitigation against DDoS attacks using the Corsa NSE7000
Series. <https://www.corsa.com/red-armor-security/nse7000/>*

*Learn how to make your network better with Corsa Performance SDN
<http://www.corsa.com/sdn-done-right/>.  *


*This email and any attachments are intended for the sole use of the named
recipient(s) and contain(s) confidential information that may be
proprietary, privileged or copyrighted under applicable law. If you are not
the intended recipient, do not read, copy, or forward this email message or
any attachments and delete this message and any attachments immediately.*

Re: Verizon wireless to stop issuing static IPv4

2017-03-08 Thread Ed Lopez 
I'm assuming no consideration for using RFC-6598 addresses (100.64.0.0/10)
and performing CGN as a bridge, perhaps via LW4o6


On Wed, Mar 8, 2017 at 12:31 PM Randy Carpenter 
wrote:

>
> It would have been nice if Verizon had starting issuing IPv6 while still
> issuing IPv4 for an easy transition. The current situation is that you
> can't get static IPv6 at all. I have been bugging them about this for many
> years.
>
> thanks,
> -Randy
>
>
> - On Mar 8, 2017, at 12:16 PM, David Hubbard
> dhubb...@dino.hostasaurus.com wrote:
>
> > Thought the list would find this interesting.  Just received an email
> from VZ
> > wireless that they’re going to stop selling static IPv4 for wireless
> > subscribers in June.  That should make for some interesting support
> calls on
> > the broadband/fios side; one half of the company is forcing ipv6, the
> other
> > can’t provide it.  At least now we have a big name forcing the issue
> though.
> >
> > David
> >
> > Here’s complete text:
> >
> > On June 30, 2017, Verizon will stop issuing new Public Static IPv4
> addresses due
> > to a shortage of available addresses. Customers that currently have
> active
> > Public Static IPv4 addresses will retain those addresses, and Verizon
> will
> > continue to fully support existing Public Static IPv4 addresses. In
> order to
> > reserve new IP addresses, your company will need to convert to the
> Persistent
> > Prefix IPv6 requirements and implement new Verizon-certified IPv6
> devices.
> >
> >
> >
> >
> >
> > Why should you make the move to Persistent Prefix IPv6?
> >
> >
> >
> >
> >
> > •
> >
> > Unlike IPv4, which is limited to a 32-bit prefix, Persistent Prefix IPv6
> has
> > 128-bit addressing scheme, which aligns to current international
> agreements and
> > standards.
> >
> >
> >
> > •
> >
> > Persistent Prefix IPv6 will provide the device with an IP address unique
> to that
> > device that will remain with that device until the address is
> relinquished by
> > the user (i.e., when the user moves the device off the Verizon Wireless
> > network).
> >
> >
> >
> > •
> >
> > IPv4-only devices are not compatible with Persistent Prefix IPv6
> addresses.
>
-- 
Ed Lopez | Security Architect | Corsa Technology
Email: ed.lo...@corsa.com
Mobile: +1.703.220.0988
www.corsa.com

sent from my iPad ... I apologize for any auto-correct errors

Re: IoT security

2017-02-08 Thread Ed Lopez 
In a recent article (
https://www.schneier.com/blog/archives/2017/02/security_and_th.html), Bruce
Schneier sums up the IoT security mitigation issue quite nicely in this
paragraph:

"The market can't fix this because neither the buyer nor the seller cares.
The owners of the webcams and DVRs used in the denial-of-service attacks
don't care. Their devices were cheap to buy, they still work, and they
don't know any of the victims of the attacks. The sellers of those devices
don't care: They're now selling newer and better models, and the original
buyers only cared about price and features. There is no market solution,
because the insecurity is what economists call an externality: It's an
effect of the purchasing decision that affects other people. Think of it
kind of like invisible pollution."

- Ed Lopez
-- 
Ed Lopez | Security Architect | Corsa Technology
Email: ed.lo...@corsa.com
Mobile: +1.703.220.0988
www.corsa.com

sent from my iPad ... I apologize for any auto-correct errors