CGN fixed/hashed nat question

William Herrin bill at herrin.us
Wed Jan 23 13:22:06 UTC 2013


On Tue, Jan 22, 2013 at 4:52 PM, Dan Wing <dwing at cisco.com> wrote:
> draft-donley-behave-deterministic-cgn provides that functionality in
> an attempt to help randomize ports (see RFC6056).  However, because
> the ports are fixed and there are relatively few ports, an attacker
> can determine the ports by causing the victim to open a bunch
> of TCP connections.  This can be done by a bunch of "img src" tags
> in an HTML-encoded email message, among other mechanisms.  If the
> hashing causes no logging, it creates a new requirement for a strong
> audit trail of the CGN configuration.

I thought this was desirable behavior for a CGN since effective port
prediction facilitates p2p nat traversal?

Bear in mind that Windows XP uses a dynamic port range between 1024
and 5000 and allocates them linearly. Small range and trivially
predictable. Were it practical to use this knowledge for much more
than denial of service I tend to think we'd have noticed by now.

Regards,
Bill Herrin



-- 
William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004



More information about the NANOG mailing list