The router I have permits ACLs on the NAT/PAT inbound initiation for both UDP and TCP, in
addition to general firewall rules, so I technically have no generally open ports for
DECnet over UDP/TCP that naughty scanning and attacking people could use easily.
The ad hoc UDP outbound case (DNS for example) works because NAT/PAT will remember the
translation performed on the source address and port until an idle timeout occurs
(configurable in most routers, around 60 seconds seems usual) even though there's no
actual session protocol to determine this. There's usually no guarantee a new session
with the same source port will be given the same translation. If you want that, you need
to ensure that the port forwarding arrangements you make in configuring NAT/PAT for UDP
inbound are bidirectional.
It's not a good idea to configure the UDP session timeout upwards too much, if at
all.
Keith
-----Original Message-----
From: owner-hecnet at Update.UU.SE [mailto:owner-hecnet at Update.UU.SE] On Behalf Of
Johnny Billquist
Sent: 12 October 2020 09:49
To: hecnet at Update.UU.SE
Subject: Re: [HECnet] Third Release of Route20 User Mode DECnet Router
From my point there is a problem. I know that systems with many users who do not have
root access is becoming less common, but for that situation, if you just allow a
connection from any port, anyone on such a machine can then make the connection, and get
some kind of access to your network. I'm not particularly fond of such an opening up
in general.
IP spoofing can be used to just inject packets, but you will normally not get anything
back, so it's a bit more limited in use. But there is always compromises. I don't
want to go with full blown encryption and so on, nor TCP, so that's an open attack
vector for DoS at at least. But if someone wants to DoS HECnet then fine. Nobody will die
if HECnet isn't working for a while. The bridge also rate limits packets, so they will
not be able to kill my local ethernet.
And the point of the NAT changing port numbers on packets is that it does it in both
directions. If it were to do it in only one direction, it have broken network connectivity
in general, and nothing works anymore. I doubt that is very common. So no, I would say
that normally, with the '*' prefix, your traffic will then work just as expected.
(Think of a simple thing like DNS. It uses UDP, sends out queries and expects packets back
on the same port. NAT can certainly sit between, and change the source port of outgoing
packets, but it then have to also change the destination port on incoming packets, so that
in the end, for both sides, it appears as if the NAT thing wasn't there, or else you
wouldn't even have DNS).
Johnny
On 2020-10-12 04:21, Thomas DeBellis wrote:
Yes, I thought about the security very carefully and
decided that,
depending on the failure, there is no increase in attack surface and
no increase in the ramifications of failure mode as a result of attack.
In the case of a machine being NAT'ed and behind a firewall, it is
only going to get packets forwarded for a particular port, so there is
no change in attack surface of the Internet facing IP address.
By the time the packet gets to the attacked machine, assuming there
are no other external ports being forwarded and you are still
restricting on IP address, then the traffic is likely coming from one
place and therefore that control remains as good as it was; no
comments on how 'good' good is...? What I'm trying to say here is that
if an attacker is going to lie about the port, you really can't rule out an IP
spoof.
So all regular operation does is raise the bar; it is no (and can be
no) guarantee.
The problem with the '*' prefix is that if you sent the packets back
with a corrupted received port, then they effectively vanish because
the transmitting firewall has only been configured with a forwarding
rule for a particular port. The '$' prefix forces the received port to
get overwritten with the configured port if it is corrupted; counts
are tallied either way; I also save the last overwritten port.
The thing to do would have been to snoop the traffic on the local
Ethernet from another machine to see what the actual port was; this
would rule out any kind of OS corruption.? However, I think that
unlikely because one of the things I tried was compiling and running
the bridge under Linux and Mac OS X which have slight different bpf
interfaces.? Swift did find some minor things to become annoyed about
which gcc did not comment on; nothing of any real significance.
Naturally since I put in the extra code, it's been fine... Maddening.
I personally had never seen such port smashing before, but I don't
remember how long I've been doing port forwarding and to what extent.
Any server that is listening on a port will never see packets with
smashed ports.? However, usually what I run is IPsec to trusted sites
because I don't want NAT'ing getting in the way.
> ---------------------------------------------------------------------
> --- On 10/11/20 7:24 PM, Johnny Billquist wrote:
>
> While I don't think we ever figured out what was changing ports, it
> is a well known behavior of NAT routers that the can change the
> source port of UDP packets. It is often possible to configure things
> in such a way that it don't happen, but you need to know where it
> happens first, before that can be done.
>
> I actually have had, for many years, a solution in the bridge to work
> around this, if ever needed because it is outside of the control of
> either party. I thought I had mentioned it, but maybe I haven't.
> The character '*' before a hostname means that the entry will accept
> packets from any port from the remote machine, and packets sent back
> will be sent to the same port packets are coming in on.
>
> But it's a noticeable decrease of security that I'm not too happy
> about, so I tend to try and make people figure out how to configure
> their NAT first.
>
> ? Johnny
>> --------------------------------------------------------------------
>> ---- On 2020-10-11 22:39, Thomas DeBellis wrote:
>>
>> That reminds me of something else.? I had been using Johnny's bridge
>> for a number of months, when all of the sudden, I got some decidedly
>> odd behavior.
>>
>> While my router was dutifully forwarding the correct port to the
>> right machine, by the time the bridge got a hold of the port, the
>> port had gotten overwritten by ... somebody ...? Bob and I spent
>> some trying to figure out what was going on; the typical stuff,
>> reboot this, re-power that, what has changed? (absolutely nothing!!)
>>
>> I couldn't figure it out and after 'a while' became very annoyed
>> (not that it takes much).? I modified the bridge to have a different
>> prefix character ('$') in the bridge stanza.? This causes the bridge
>> to stomp the correct port in, always.? There is some extra logic to
>> count packets where the port had to be overwritten and display it, Etc.
>>
>> So that all worked.? And to look at the counts, sometimes an
>> override is necessary and then there are the other times. Lately, it hasn't,
viz:
>>
>> ??? 0: purgatorio 0.0.0.0:0 (Rx: 977(1107) Tx: 558 Fw: 419 (Drop rx:
>> ??? 688)) Active: 1 Throttle: 0(015)
>> ??? 1: legato aa.bb.cc.dd:_4711_[Ov: 0, Nov: 560, Lst: 0 (Rx:
>> 558(560)
>> ??? Tx: 419 Fw: 558 (Drop rx: 2)) Active: 1 Throttle: 0(167)
>>
>> I doubt anybody else has ever had this, but if you do, then speak
>> up.? Meanwhile, I'll get my changes back to Johnny.
>>
>>> -------------------------------------------------------------------
>>> -----
>>>
>>>
>>> This reminds me - I had ROUT20 on Hecnet for months - first on
>>> Linux then on FreeBSD - worked great with Bob Armstrong at the other end.
>>> I took it off due to reasons I do not remember fully - but was
>>> probably when Bob discovered something when we were trying DDCMP ...
>>> maybe Bob or Paul remembers more?
>>>
>>>
>>> To be honest, I have never actually looked at PyDECnet! But I
>>> should again acknowledge that you have provided me with invaluable
>>> help and insight.
>>> ---
>>> Supratim Sanyal, W1XMT
>>> 39.19151 N, 77.23432 W
>>> QCOCAL::SANYAL via HECnet
>>>
>>>> ------------------------------------------------------------------
>>>> ------
>>>>
>>>> On 10/10/20 4:50 PM, Paul Koning wrote:
>>>>
>>>> I'll have to look at your work, have not done that in a long time.
>>>>
>>>> My 2 cents worth: we're aiming at different things.? I set out to
>>>> build a full DECnet implementation in Python, with emphasis on
>>>> supporting all the parts of the architecture in a very
>>>> straightforward way.? Efficiency was very much a secondary
>>>> consideration.? As it happens, the performance is not bad,
>>>> adequate for a lot of purposes.
>>>>
>>>> A C based implement such as you did is somewhat harder to write,
>>>> but much more efficient.? For anyone who is running on a slow
>>>> machine, or under heavy load, your work is likely to be the right
>>>> answer.? Also, of course, if you want to run on a machine where
>>>> Python is not available or not efficient.
>>>>
>>>> ????paul
>>>>> -----------------------------------------------------------------
>>>>> -------
>>>>>
>>>>> On Oct 10, 2020, at 5:11 AM, Rob
>>>>> Jarratt<robert.jarratt at ntlworld.com>? wrote:
>>>>>
>>>>> Hello Everyone,
>>>>> ? As some of you may be aware, I have been writing my own DECnet
>>>>> router. Since the last formal release a few years ago I have
>>>>> added a few things, the details are
>>>>>
herehttps://github.com/rjarratt/Route20. These were all on the
>>>>> Dev branch, which I know a few people have tried. I have been
>>>>> running the Dev branch for a long time myself, so I am sure it is
stable.
>>>>> All I have done really is make the current Dev branch ?official?
>>>>> by merging it to the master branch.
>>>>> ? I know Paul has been much more active than me lately on this
>>>>> front, so I am probably a bit behind, but if anyone would like to
>>>>> take a look that would be great.
>>>>
>>>>
>
--
Johnny Billquist || "I'm on a bus
|| on a psychedelic trip
email: bqt at softjar.se || Reading murder books
pdp is alive! || tryin' to stay hip" - B. Idol