Security Threats for the NATFW NSLP

1
Security Threats for the NATFW NSLP

• draft-fessi-nsis-natfw-threats-01.txt
• Fessi, Stiemerling, Thiruvengadam, Tschofenig,
  Aoun
• IETF 60

2
Overview

• Identifies threats to NATFW NSLP
• List different types of attacks
• Limited to NSLP issues only
• Gives security requirements, but no solutions for
  protocol yet
• Analysis based on draft-ietf-nsis-nslp-natfw-02.tx
  t
• Analysis covered all messages except
• TRIGGER
• NOTIFY
• QUERY

3
Attacks analysed

• Authentication and authorization
• Denial of service
• Man in the Middle
• Message Modification
• Session Hijacking
• Modification and deletion
• Misuse of unreleased NSLP sessions
• Eavesdropping and traffic analysis
• Data traffice modification
• Considered but not specific to NSLP only

4
Authorization and Authentication

• Example Receiver behind Firewall
• NI is outside the protected network
• Problems
• Forwarding message from unknown host/firewall
• Possibly installing policy rules (spending
  resources)
• No way of binding authorization to IP addresses
  (NAT!)

?
Data Receiver (NR)
Firewall (NF)
Data Sender (NI)
Protected Network
5
Conclusion

• Security threats analysed
• Security requirements given
• Further steps
• Please READ and give comments
• Develop security solution for NATFW NSLP