CGN fixed/hashed nat question
bill at herrin.us
Wed Jan 23 13:22:06 UTC 2013
On Tue, Jan 22, 2013 at 4:52 PM, Dan Wing <dwing at cisco.com> wrote:
> draft-donley-behave-deterministic-cgn provides that functionality in
> an attempt to help randomize ports (see RFC6056). However, because
> the ports are fixed and there are relatively few ports, an attacker
> can determine the ports by causing the victim to open a bunch
> of TCP connections. This can be done by a bunch of "img src" tags
> in an HTML-encoded email message, among other mechanisms. If the
> hashing causes no logging, it creates a new requirement for a strong
> audit trail of the CGN configuration.
I thought this was desirable behavior for a CGN since effective port
prediction facilitates p2p nat traversal?
Bear in mind that Windows XP uses a dynamic port range between 1024
and 5000 and allocates them linearly. Small range and trivially
predictable. Were it practical to use this knowledge for much more
than denial of service I tend to think we'd have noticed by now.
William D. Herrin ................ herrin at dirtside.com bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
More information about the NANOG