[HECnet] Third Release of Route20 User Mode DECnet Router
Keith Halewood
Keith.Halewood at pitbulluk.org
Mon Oct 12 03:54:07 PDT 2020
The router I have permits ACLs on the NAT/PAT inbound initiation for both UDP and TCP, in addition to general firewall rules, so I technically have no generally open ports for DECnet over UDP/TCP that naughty scanning and attacking people could use easily.
The ad hoc UDP outbound case (DNS for example) works because NAT/PAT will remember the translation performed on the source address and port until an idle timeout occurs (configurable in most routers, around 60 seconds seems usual) even though there's no actual session protocol to determine this. There's usually no guarantee a new session with the same source port will be given the same translation. If you want that, you need to ensure that the port forwarding arrangements you make in configuring NAT/PAT for UDP inbound are bidirectional.
It's not a good idea to configure the UDP session timeout upwards too much, if at all.
Keith
-----Original Message-----
From: owner-hecnet at Update.UU.SE [mailto:owner-hecnet at Update.UU.SE] On Behalf Of Johnny Billquist
Sent: 12 October 2020 09:49
To: hecnet at Update.UU.SE
Subject: Re: [HECnet] Third Release of Route20 User Mode DECnet Router
From my point there is a problem. I know that systems with many users who do not have root access is becoming less common, but for that situation, if you just allow a connection from any port, anyone on such a machine can then make the connection, and get some kind of access to your network. I'm not particularly fond of such an opening up in general.
IP spoofing can be used to just inject packets, but you will normally not get anything back, so it's a bit more limited in use. But there is always compromises. I don't want to go with full blown encryption and so on, nor TCP, so that's an open attack vector for DoS at at least. But if someone wants to DoS HECnet then fine. Nobody will die if HECnet isn't working for a while. The bridge also rate limits packets, so they will not be able to kill my local ethernet.
And the point of the NAT changing port numbers on packets is that it does it in both directions. If it were to do it in only one direction, it have broken network connectivity in general, and nothing works anymore. I doubt that is very common. So no, I would say that normally, with the '*' prefix, your traffic will then work just as expected.
(Think of a simple thing like DNS. It uses UDP, sends out queries and expects packets back on the same port. NAT can certainly sit between, and change the source port of outgoing packets, but it then have to also change the destination port on incoming packets, so that in the end, for both sides, it appears as if the NAT thing wasn't there, or else you wouldn't even have DNS).
Johnny
On 2020-10-12 04:21, Thomas DeBellis wrote:
> Yes, I thought about the security very carefully and decided that,
> depending on the failure, there is no increase in attack surface and
> no increase in the ramifications of failure mode as a result of attack.
>
> In the case of a machine being NAT'ed and behind a firewall, it is
> only going to get packets forwarded for a particular port, so there is
> no change in attack surface of the Internet facing IP address.
>
> By the time the packet gets to the attacked machine, assuming there
> are no other external ports being forwarded and you are still
> restricting on IP address, then the traffic is likely coming from one
> place and therefore that control remains as good as it was; no
> comments on how 'good' good is... What I'm trying to say here is that
> if an attacker is going to lie about the port, you really can't rule out an IP spoof.
>
> So all regular operation does is raise the bar; it is no (and can be
> no) guarantee.
>
> The problem with the '*' prefix is that if you sent the packets back
> with a corrupted received port, then they effectively vanish because
> the transmitting firewall has only been configured with a forwarding
> rule for a particular port. The '$' prefix forces the received port to
> get overwritten with the configured port if it is corrupted; counts
> are tallied either way; I also save the last overwritten port.
>
> The thing to do would have been to snoop the traffic on the local
> Ethernet from another machine to see what the actual port was; this
> would rule out any kind of OS corruption. However, I think that
> unlikely because one of the things I tried was compiling and running
> the bridge under Linux and Mac OS X which have slight different bpf
> interfaces. Swift did find some minor things to become annoyed about
> which gcc did not comment on; nothing of any real significance.
>
> Naturally since I put in the extra code, it's been fine... Maddening.
>
> I personally had never seen such port smashing before, but I don't
> remember how long I've been doing port forwarding and to what extent.
> Any server that is listening on a port will never see packets with
> smashed ports. However, usually what I run is IPsec to trusted sites
> because I don't want NAT'ing getting in the way.
>
>> ---------------------------------------------------------------------
>> --- On 10/11/20 7:24 PM, Johnny Billquist wrote:
>>
>> While I don't think we ever figured out what was changing ports, it
>> is a well known behavior of NAT routers that the can change the
>> source port of UDP packets. It is often possible to configure things
>> in such a way that it don't happen, but you need to know where it
>> happens first, before that can be done.
>>
>> I actually have had, for many years, a solution in the bridge to work
>> around this, if ever needed because it is outside of the control of
>> either party. I thought I had mentioned it, but maybe I haven't.
>> The character '*' before a hostname means that the entry will accept
>> packets from any port from the remote machine, and packets sent back
>> will be sent to the same port packets are coming in on.
>>
>> But it's a noticeable decrease of security that I'm not too happy
>> about, so I tend to try and make people figure out how to configure
>> their NAT first.
>>
>> Johnny
>>> --------------------------------------------------------------------
>>> ---- On 2020-10-11 22:39, Thomas DeBellis wrote:
>>>
>>> That reminds me of something else. I had been using Johnny's bridge
>>> for a number of months, when all of the sudden, I got some decidedly
>>> odd behavior.
>>>
>>> While my router was dutifully forwarding the correct port to the
>>> right machine, by the time the bridge got a hold of the port, the
>>> port had gotten overwritten by ... somebody ... Bob and I spent
>>> some trying to figure out what was going on; the typical stuff,
>>> reboot this, re-power that, what has changed? (absolutely nothing!!)
>>>
>>> I couldn't figure it out and after 'a while' became very annoyed
>>> (not that it takes much). I modified the bridge to have a different
>>> prefix character ('$') in the bridge stanza. This causes the bridge
>>> to stomp the correct port in, always. There is some extra logic to
>>> count packets where the port had to be overwritten and display it, Etc.
>>>
>>> So that all worked. And to look at the counts, sometimes an
>>> override is necessary and then there are the other times. Lately, it hasn't, viz:
>>>
>>> 0: purgatorio 0.0.0.0:0 (Rx: 977(1107) Tx: 558 Fw: 419 (Drop rx:
>>> 688)) Active: 1 Throttle: 0(015)
>>> 1: legato aa.bb.cc.dd:_4711_[Ov: 0, Nov: 560, Lst: 0 (Rx:
>>> 558(560)
>>> Tx: 419 Fw: 558 (Drop rx: 2)) Active: 1 Throttle: 0(167)
>>>
>>> I doubt anybody else has ever had this, but if you do, then speak
>>> up. Meanwhile, I'll get my changes back to Johnny.
>>>
>>>> -------------------------------------------------------------------
>>>> -----
>>>>
>>>>
>>>> This reminds me - I had ROUT20 on Hecnet for months - first on
>>>> Linux then on FreeBSD - worked great with Bob Armstrong at the other end.
>>>> I took it off due to reasons I do not remember fully - but was
>>>> probably when Bob discovered something when we were trying DDCMP ...
>>>> maybe Bob or Paul remembers more?
>>>>
>>>>
>>>> To be honest, I have never actually looked at PyDECnet! But I
>>>> should again acknowledge that you have provided me with invaluable
>>>> help and insight.
>>>> ---
>>>> Supratim Sanyal, W1XMT
>>>> 39.19151 N, 77.23432 W
>>>> QCOCAL::SANYAL via HECnet
>>>>
>>>>> ------------------------------------------------------------------
>>>>> ------
>>>>>
>>>>> On 10/10/20 4:50 PM, Paul Koning wrote:
>>>>>
>>>>> I'll have to look at your work, have not done that in a long time.
>>>>>
>>>>> My 2 cents worth: we're aiming at different things. I set out to
>>>>> build a full DECnet implementation in Python, with emphasis on
>>>>> supporting all the parts of the architecture in a very
>>>>> straightforward way. Efficiency was very much a secondary
>>>>> consideration. As it happens, the performance is not bad,
>>>>> adequate for a lot of purposes.
>>>>>
>>>>> A C based implement such as you did is somewhat harder to write,
>>>>> but much more efficient. For anyone who is running on a slow
>>>>> machine, or under heavy load, your work is likely to be the right
>>>>> answer. Also, of course, if you want to run on a machine where
>>>>> Python is not available or not efficient.
>>>>>
>>>>> paul
>>>>>> -----------------------------------------------------------------
>>>>>> -------
>>>>>>
>>>>>> On Oct 10, 2020, at 5:11 AM, Rob
>>>>>> Jarratt<robert.jarratt at ntlworld.com> wrote:
>>>>>>
>>>>>> Hello Everyone,
>>>>>> As some of you may be aware, I have been writing my own DECnet
>>>>>> router. Since the last formal release a few years ago I have
>>>>>> added a few things, the details are
>>>>>> herehttps://github.com/rjarratt/Route20. These were all on the
>>>>>> Dev branch, which I know a few people have tried. I have been
>>>>>> running the Dev branch for a long time myself, so I am sure it is stable.
>>>>>> All I have done really is make the current Dev branch “official”
>>>>>> by merging it to the master branch.
>>>>>> I know Paul has been much more active than me lately on this
>>>>>> front, so I am probably a bit behind, but if anyone would like to
>>>>>> take a look that would be great.
>>>>>
>>>>>
>>
--
Johnny Billquist || "I'm on a bus
|| on a psychedelic trip
email: bqt at softjar.se || Reading murder books
pdp is alive! || tryin' to stay hip" - B. Idol
More information about the Hecnet-list
mailing list