<html><body>
<p>Riad,<br>
<br>
Thanks for testing this. A number of other readers wrote me privately confirming your result with linux ipchains. I'm not sure what ipchains does when it encounters a collision, but in general I think this is a good strategy. You'd have to have many thousands of simultaneous UDP transactions in order for randomly selected source ports to be colliding frequently enough for it to present a substantial problem. <br>
On the other hand, I've also been contacted by readers who confirm that other devices besides the one imipack mentioned share it's behavior. There appears to be room for some research here into what collision avoidance strategies are employed by different NAT devices, what happens to those devices under high load, and what the security implications are. Fortunately, Linux appears to do a good job with this right now, and provides an example approach that NAT vendors can look to. <br>
I'll post more if I have time to dig into this in further detail. <br>
<br>
Regards,<br>
Tom Cross <br>
IBM X-Force <br>
<br>
<img width="16" height="16" src="cid:1__=08BBFE10DFC196868f9e8a93df938@us.ibm.com" border="0" alt="Inactive hide details for "Riad S. Wahby" <rsw@jfet.org>">"Riad S. Wahby" <rsw@jfet.org><br>
<br>
<br>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr valign="top"><td style="background-image:url(cid:2__=08BBFE10DFC196868f9e8a93df938@us.ibm.com); background-repeat: no-repeat; " width="40%">
<ul>
<ul>
<ul>
<ul><b><font size="2">"Riad S. Wahby" <rsw@jfet.org></font></b><font size="2"> </font>
<p><font size="2">07/10/2008 11:06 PM</font></ul>
</ul>
</ul>
</ul>
</td><td width="60%">
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr valign="top"><td width="1%"><img width="58" height="1" src="cid:3__=08BBFE10DFC196868f9e8a93df938@us.ibm.com" border="0" alt=""><br>
<div align="right"><font size="2">To</font></div></td><td width="100%"><img width="1" height="1" src="cid:3__=08BBFE10DFC196868f9e8a93df938@us.ibm.com" border="0" alt=""><br>
<font size="2">Thomas Cross/Atlanta/IBM@IBMUS</font></td></tr>
<tr valign="top"><td width="1%"><img width="58" height="1" src="cid:3__=08BBFE10DFC196868f9e8a93df938@us.ibm.com" border="0" alt=""><br>
<div align="right"><font size="2">cc</font></div></td><td width="100%"><img width="1" height="1" src="cid:3__=08BBFE10DFC196868f9e8a93df938@us.ibm.com" border="0" alt=""><br>
<font size="2">full-disclosure@lists.grok.org.uk</font></td></tr>
<tr valign="top"><td width="1%"><img width="58" height="1" src="cid:3__=08BBFE10DFC196868f9e8a93df938@us.ibm.com" border="0" alt=""><br>
<div align="right"><font size="2">Subject</font></div></td><td width="100%"><img width="1" height="1" src="cid:3__=08BBFE10DFC196868f9e8a93df938@us.ibm.com" border="0" alt=""><br>
<font size="2">Re: DNS and NAT (was: DNS and CheckPoint)</font></td></tr>
</table>
<table border="0" cellspacing="0" cellpadding="0">
<tr valign="top"><td width="58"><img width="1" height="1" src="cid:3__=08BBFE10DFC196868f9e8a93df938@us.ibm.com" border="0" alt=""></td><td width="336"><img width="1" height="1" src="cid:3__=08BBFE10DFC196868f9e8a93df938@us.ibm.com" border="0" alt=""></td></tr>
</table>
</td></tr>
</table>
<br>
<tt>Thomas Cross <tcross@us.ibm.com> wrote:<br>
> We've also been wondering whether NAT devices ought to randomly assign<br>
> UDP source ports, although no NAT vendor that wea**re aware of has done<br>
> this to date.<br>
<br>
Some quick testing implies that ipchains MASQUERADE-based NAT doesn't<br>
suffer this problem because it preserves the source port.<br>
<br>
My test setup is as follows: call the computer inside the NAT Alice, and<br>
the computer outside Bob. Alice contacts Bob via Trent, a linux-based<br>
router, in my case a DLink DSL-2540B DSL modem / router combo. On<br>
Alice, I run the following:<br>
<br>
( for j in $(seq 1 100); do i=$RANDOM; /bin/echo -n "$i "; echo $i | nc -q 0 -vv -p $i -u <Bob> 5555; sleep 1; done ) &> foo.Alice<br>
<br>
On Bob, I run <br>
<br>
( while true; do nc -vv -l -u -p 5555 -q 0 </dev/null; done ) &> foo.Bob<br>
<br>
At the end, I compare the actual source port in foo.Alice to the<br>
apparent source port in foo.Bob. In my setup, they are always<br>
identical.<br>
<br>
Obviously it is impossible to guarantee that this will always be the<br>
case; in order to identify dangerous corner cases one would have to<br>
consult the ipchains code, but given the relative frailty of the<br>
randomized source port / randomized sequence number solution, for a<br>
small number of computers behind a NAT (e.g., home users) I claim that's<br>
a second-order danger at best.<br>
<br>
In a large production environment where there is a huge amount of NAT<br>
traffic being generated one would do well to consider a solution like<br>
Thomas's suggestion that the servers be moved outside the firewall.<br>
<br>
-=rsw<br>
</tt><br>
</body></html>