nanog mailing list archives
Re: Security gain from NAT
From: "Steven M. Bellovin" <smb () cs columbia edu>
Date: Tue, 5 Jun 2007 13:31:53 -0400
On Mon, 04 Jun 2007 22:06:25 -0400 Daniel Senie <dts () senie com> wrote:
At 09:07 PM 6/4/2007, Jason Lewis wrote:I figured SMB would chime in...but his research says it's not so anonymous. http://illuminati.coralcdn.org/docs/bellovin.fnat.pdf
The traffic load on this list is rather high; I've had to flush most of this and other threads....
Give or take NAT boxes / firewalls that specifically have features to mess with the IP ID. The SonicWALL products have, for example, a checkbox that says: "Randomize IP ID".
That's relatively new, and possibly in response to my paper; as of when I wrote it, I couldn't find any vendors that DTRT.
Some vendors apparently have taken measures to ensure methods such as monitoring IP ID are less effective. The paper notes this, and the issues with doing this. So the "not so anonymous" statement above is really "not so anonymous, give or take the implementation of the firewall/NAT".
I suspect there are other information leaks, such as the RFC 1323 timestamps, TCP sequence numbers (for some platforms), port number allocation, etc. Many of these are (or can be) randomized on some platforms, but I don't know of any systematic analysis. I also wonder if some popular web sites' cookies embed the IP address -- possibly encrypted to them, so they can track where you are. I'm 100% that some sites do that for authenticated connections. (On the larger issue, I feel that typical NATs provide no security benefit over typical stateful packet filters. Given other issues -- traceability of attacks, impediments to end-to-end secure connections, the need for special-purpose things like STUN servers, etc. -- I could make a good case that they're a net disadvantage. But I'm on the verge of flushing this thread, so I may not see the responses....) --Steve Bellovin, http://www.cs.columbia.edu/~smb
Current thread:
- Security gain from NAT (was: Re: Cool IPv6 Stuff), (continued)
- Security gain from NAT (was: Re: Cool IPv6 Stuff) Jim Shankland (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Joe Abley (Jun 04)
- Re: Security gain from NAT Sam Stickland (Jun 04)
- RE: Security gain from NAT Howard C. Berkowitz (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Owen DeLong (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Colm MacCarthaigh (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Matthew Palmer (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Donald Stahl (Jun 04)
- Re: Security gain from NAT Jason Lewis (Jun 04)
- Re: Security gain from NAT Daniel Senie (Jun 04)
- Re: Security gain from NAT Steven M. Bellovin (Jun 05)
- RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) David Schwartz (Jun 04)
- RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) Donald Stahl (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Owen DeLong (Jun 04)
- RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) David Schwartz (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Matthew Palmer (Jun 04)
- RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) David Schwartz (Jun 05)
- Re: Security gain from NAT Jeff McAdams (Jun 05)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Nicholas Suan (Jun 05)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Nicholas Suan (Jun 04)
- RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) Donald Stahl (Jun 04)