Security checks in the incoming packets to NAT ports?

2002-03-25 Thread Pekka Savola 

Hi,

As characterized by C. Huitema of Microsoft in 
http://www.ietf.org/internet-drafts/draft-ietf-ngtrans-shipworm-05.txt 
(IPv6 tunnels through NAT's using UDP), there are basically 4 kinds of 
NAT's wrt. how strictly they check the incoming packets to allocated 
NAT ports:

--8--
Experience shows that the implementers of NAT products can adopt
widely different treatments of UDP mappings:

1) Some implement the simplest solution, which is to map an internal
UDP port, defined by an internal address and a port number on the   
corresponding host, to an external port, defined by a global address
managed by the NAT and a port number valid for that address. In this
simple case, the mapping is retained as long as the port is active, 
and is removed after an inactivity timer. As long as the mapping is 
retained, any packet received by the NAT for the external port is   
relayed to the internal address and port. These NATs are usually
called cone NATs.

2) Some implement a more complex solution, in which the NAT not only
establishes a mapping for the UDP port, but also maintains a list of
external hosts to which traffic has been sent from that port. The   
packets originating from third party hosts to which the local host  
has not yet sent traffic are rejected. These NATs are usually called
restricted cone NATs.

3) Instead of keeping just a list of authorized hosts, some NAT
implementations keep a list of authorized host and port pairs. UDP
packets coming from remote addresses are rejected if the internal 
host has not yet sent traffic to the outside host and port pair. The
NATs are often called port restricted cone NATs

4) Finally, some NAT map the same internal address and port pair to
different external address and port pairs, depending on the address
of the remote host. These NATs are usually called symmetric NATs.

Measurement campaigns and studies of documentations have shown that
most NAT implement either option 1 or option 2, i.e. cone NATs or  
restricted cone NATs. The Teredo solution ensures connectivity for 
all NAT types and all configurations, but it is legitimate to seek 
an optimization in the case of cone NAT or restricted cone NATs.   
--8--

I'm curious which kind of NAT does Netfilter (and possibly old ipchains 
NAT) use?

Please Cc:.

-- 
Pekka Savola Tell me of difficulties surmounted,
Netcore Oy   not those you stumble over and fall
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords

Re: Security checks in the incoming packets to NAT ports?

2002-03-25 Thread Pekka Savola 

On Mon, 25 Mar 2002, Harald Welte wrote:
 On Mon, Mar 25, 2002 at 02:48:22PM +0200, Pekka Savola wrote:
  Hi,
  
 
  4) Finally, some NAT map the same internal address and port pair to
  different external address and port pairs, depending on the address
  of the remote host. These NATs are usually called symmetric NATs.
  
  Measurement campaigns and studies of documentations have shown that
  most NAT implement either option 1 or option 2, i.e. cone NATs or  
  restricted cone NATs. The Teredo solution ensures connectivity for 
  all NAT types and all configurations, but it is legitimate to seek 
  an optimization in the case of cone NAT or restricted cone NATs.   
  --8--
  
  I'm curious which kind of NAT does Netfilter (and possibly old ipchains 
  NAT) use?
 
 netfilter/iptables uses NAT-style four as described in the above
 document.

Thanks for the information Harald.  I take it you don't comment on how
ipchains/ipfwadm NAT does this?  That knowledge would also be very much
appreciated as there are still (mostly) 2.2 -kernel boxes around.

-- 
Pekka Savola Tell me of difficulties surmounted,
Netcore Oy   not those you stumble over and fall
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords

Re: Security checks in the incoming packets to NAT ports?

2002-03-25 Thread Henrik Nordstrom 

Pekka Savola wrote:

 I take it you don't comment on how
 ipchains/ipfwadm NAT does this?  That knowledge would also be very much
 appreciated as there are still (mostly) 2.2 -kernel boxes around.

The NAT capabilities of Linux-2.2 ipchains is quite limited, only having
masquerade NAT. It maps any number of internal IP addresses to a
specific portrange on a single external IP address.

There is also a related but similarly limited NAT function in Linux-2.2
for incoming traffic called PORTFW. It allows you to forward ports on
the external IP address to designated servers on the inside.

In both cases the NAT6 is TCP/UDP session aware.

See the Linux IP Masquerad HOWTO for relatively detailed documentation
of the capabilities and limitations of Linux masquerade NAT (including
the port forwarding for incoming sessions).


Note: The Linux-2.4 netfilter NAT capabilites are a huge leap forward
compared to the ipchains/ipfwadm capabilities.
Regards
Henrik Nordström