Saturday, September 4, 2010

LSN A+P Q&A

In A+P mode, what is the need for CPE to send NATTed packets to the provider box (PRR or LSN)?
This is mainly for security reasons.  You can't assume that CPE are all good citizens. Here, one public IP address is assigned to multple CPE devices with different port range for source port NAT.  If the rogue CPE or misbehaving CPE uses ports for source port NAT beyond assigned values, it can distrub the traffic of some other CPE.  To ensure that this does not happen, all packets are sent to the centralized box in provider network.  Provider network validates the source ports of outgoing connections of the CPE and transmits out onto the Internet only if source port is one of the ports assigned to the CPE box. Provider box (PRR) maitains the table with IPv6 address (which is used as source IP of tunnel by the CPE ) and the allocated ports.  This table would be referred by the PRR to validate the source ports of the connections.

Can rogue CPE mount DOS attack on other CPE if the rogue CPE knows the IPv6 address and the port allocations of the victim CPE?

In theory, it is possible.  Rogue CPE may not be able to get hold of the traffic of victim CPE, but it can mount DOS attack.  Rogue CPE can disable some portions of victim CPE communication by using all ports.   I believe it is necessary that each CPE authenticates itself to the PRR before sending the traffic over the IPv6 tunnel.  It is not there today, but it is natural expect in my view.

One proposal I saw can make this DoS attack difficult.  If the PRR assigns the random ports to the CPE rather than fixed range, then it makes it difficult for rogue CPE to determine the  exact pots used by other CPEs.

Havind said that, a rogue CPE can, it it wants, mount DOS attack such a way that it can use up the ports of different CPE devices if it knows the IPv6 addresses.  So, it is good to have authenticaiton support bulit into creating the IPv6 tunnel.

I personally belive that IPsec IPv6 tunnels with IKEv2 would be the right fit. It increases the processing requirements, but it is secure.  IPsec allows transport of IPv4 packets over IPv6 tunnel in addition to IPv6 packets in IPv6 tunnel.  It provides not only authentication of the CPE device, but also secures the traffic between CPE device and the PRR.  It also can retain the QoS characterstics of the differnet packets between CPE and LSN.  If data security is not required, ESP with Authentication can be used which is less expensive from computation processing is concerned on the LSN device.

In 3GPP,  Femto Access Points (CPE devices) already have IPsec tunnel with IKEv2 to SeGW (ePDG).  Same tunnel can be used to transport IPv4 packets to the ePDG, if ePDG is equipped with the PRR & LSN functionality.

Are there any CPE devices or Smart phones supporting LSN & A+P functionality?

I don't have this information.  I saw some internet postings from Android based phone vendors asking about LSN.  So, I beleive it is in vendors radar, but not sure whether anybody has solutions in the market. As I indicated in my last post, Cisco has LSN functionality on service provider side  in their portfolio.  A10networks also has some service provider boxes supporting LSN. 

2 comments:

Karthik said...

What is the "A" and the "P" in the "A+P" solution. By the way, your articles are very nice and so much informative.

Srini said...

Address + Port.

Srini