Netgear RP614 leaking - Networking

This is a discussion on Netgear RP614 leaking - Networking ; Mark Hobley a écrit : > Pascal Hambourg wrote: > >>As I said, it keeps track of outgoing packets. Incoming packets matching >>an outgoing packet are forwarded to the original sender. > > Ok. That makes sense. However, I am ...

+ Reply to Thread
Page 3 of 3 FirstFirst 1 2 3
Results 41 to 44 of 44

Thread: Netgear RP614 leaking

  1. Re: Netgear RP614 leaking

    Mark Hobley a écrit :
    > Pascal Hambourg wrote:
    >
    >>As I said, it keeps track of outgoing packets. Incoming packets matching
    >>an outgoing packet are forwarded to the original sender.

    >
    > Ok. That makes sense. However, I am not sure whether that behaviour is always
    > desireable. Not all UDP packets require a reply, and looking quickly at
    > the UDP header layout, there are no flags to determine whether or not a reply
    > is desirable. If the remote host sends a UDP datagram (reply) to a host
    > on the network following receipt of a UDP datagram from the host on the
    > network, presumeably the UDP reply will be forwared to the local station,
    > regardless of whether or not this was expected.


    Indeed, UDP connection tracking and stateful NAT is primarily designed
    for session-oriented bidirectionnal (i.e. TCP-like) UDP flows.

    > I am wondering whether this gives a remote host the possibility of
    > connecting to an internal UDP service on a local machine, because the
    > local machine send a UDP message to the remote host seconds earlier.
    >
    > Say for example, a local station behind the router runs two unrelated
    > services, foo and bar.
    >
    > foo is an internal service that is used on the LAN that sends out
    > password information on receipt of a UDP datagram on port 10000.
    >
    > bar is an unrelated service that sends a UDP datagram to remotehost,
    > for example a time signal.
    >
    > Say remotehost has been configured to send a UDP password request to
    > port 10000, on receipt of a time signal.
    >
    > As service bar sends out the time signal, the router notes that remotehost has
    > recently active UDP activity and can reply to the local station. The
    > remotehost sends out a UDP password request to port 10000. The router
    > receives this and forwards the password request to the local station (or
    > does it know better?) The local station receives this request and sends
    > the password to remotehost as requested.
    >
    > Could this happen or are there additional steps that the router takes to
    > prevent this from happening?


    It depends on the design of the stateful UDP NAT, and what kind of
    packet is considered to be a reply. There are many variations in NAT
    behaviour ; some of them are described in RFC 2663 and 3489.

    There are more or less restrictive definitions of a UDP reply packet. A
    less restrictive definition is that an incoming UDP packet must match
    only the source and destination addresses of an outgoing UDP packet. A
    more restrictive definition is that it must match the source and
    destination addresses and ports. So a packet sent to port 10000 won't be
    considered as a reply to a packet sent from a different port. The
    connection tracking, and thus the stateful NAT, performed by
    Netfilter/iptables in Linux behaves this way. I don't know for sure, but
    my guess is that most SOHO routers behave the same way, because doing
    otherwise may have issues with multiple hosts being masqueraded behind a
    single external address.

  2. Re: Netgear RP614 leaking

    On Sep 20, 7:05*pm, markhob...@hotpop.donottypethisbit.com (Mark
    Hobley) wrote:

    > I am wondering whether this gives a remote host the possibility of
    > connecting to an internal UDP service on a local machine, because the
    > local machine send a UDP message to the remote host seconds earlier.


    Who cares? If this is not desired, then some security policy or
    firewall would prevent it.

    > Say for example, a local station behind the router runs two unrelated
    > services, foo and bar.
    >
    > foo is an internal service that is used on the LAN that sends out
    > password information on receipt of a UDP datagram on port 10000.
    >
    > bar is an unrelated service that sends a UDP datagram to remotehost,
    > for example a time signal.
    >
    > Say remotehost has been configured to send a UDP password request to
    > port 10000, on receipt of a time signal.
    >
    > As service bar sends out the time signal, the router notes that remotehost has
    > recently active UDP activity and can reply to the local station. The
    > remotehost sends out a UDP password request to port 10000. The router
    > receives this and forwards the password request to the local station (or
    > does it know better?) The local station receives this request and sends
    > the password to remotehost as requested.
    >
    > Could this happen or are there additional steps that the router takes to
    > prevent this from happening?


    NAT is *NOT* a security scheme. It's a way to provide access, not to
    restrict it.

    If you want to prevent connectivity, you need firewalls and access
    rules.

    This is a very common misunderstanding. NAT often prevents outside
    machines from reaching inside machines as an accidental side-effect.
    It's much the same way that switches keep some machines from seeing
    packets sent by other machines. It cannot be relied upon because it is
    not reliable.

    NAT is not a security policy.

    DS

  3. Re: Netgear RP614 leaking

    David Schwartz wrote:

    > Who cares? If this is not desired, then some security policy or
    > firewall would prevent it.


    So a hardware firewall router would have the facility to address this
    issue, whereas a conventional broadband router does not?

    Mark.

    --
    Mark Hobley,
    393 Quinton Road West,
    Quinton, BIRMINGHAM.
    B32 1QE.

  4. Re: Netgear RP614 leaking


    Mark Hobley wrote:

    > David Schwartz wrote:


    > > Who cares? If this is not desired, then some security policy or
    > > firewall would prevent it.


    > So a hardware firewall router would have the facility to address this
    > issue, whereas a conventional broadband router does not?


    Some broadband routers might have this kind of capability. But in
    general, they default to allowing all traffic that might be wanted.
    This is generally true despite their misleading statements about their
    default policy or device capabilities. They get complaints when things
    don't work.

    NAT is sometimes an accidental firewall, it might happen to stop an
    attack, and that's great. But only an actual firewall is a *reliable*
    firewall. You cannot rely on NAT to block a packet, since NAT tries
    its best to get the packets through.

    DS

+ Reply to Thread
Page 3 of 3 FirstFirst 1 2 3