IPv4 Reputation Filtering Not a Long-Term Solution

As carriers deploy Large Scale NAT (LSN) reputation filtering will lose its effectiveness

As public IPv4 addresses become more scarce, multiple-layers of NAT will be required to sustain the Internet for years to come. Use of Large Scale NAT (LSN) systems by service providers will cause problems for many applications. Today there are many security filtering systems that use lists of public IPv4 addresses to identify "undesirable" hosts on the Internet. As more ISPs deploy LSN systems the effectiveness of these IPv4 filtering systems will diminish.

Can Large Scale NAT Save IPv4?

During the dawn of the Internet hosts created lists of legitimate hosts. Computers used static lists of public IPv4 addresses within their /etc/hosts files to enable IP communications. You could think of these as the first "white lists" of their era. When DNS servers were introduced and many hosts were added to the Internet it made it virtually impossible to know all valid hosts. Not even Santa Claus has a list large enough to keep track of all the naughty and nice IPv4 addresses. However, my son presumes that today Santa uses custom software and optimized databases to keep track of the world's children.

Some of the first lists of "bad-behaving" Internet hosts were those lists of e-mail servers that were forwarding E-mail for domains other than their own. These servers that were functioning as spam relays were placed onto a list that other e-mail servers would use to help detect and block spam messages. If your company's e-mail server's IP address got on one of these lists you may not be able to send e-mails and it could take some effort to get your IP address removed from the lists. These early block lists evolved into DNS-based BlackLists (DNSBLs) where a host would perform a DNS query to determine if a mail server was acting as a spam relay.

These solutions create a list of IPv4 addresses of the "known bad guys" and provide these as a subscription service to customers who use these lists to block inbound or outbound connections to these Internet systems. There are several different methods for coming up with a numerical reputation score of a public IP address.

Cisco's reputation algorithm creates a score between -10.0 and +10.0 using over "200 aggregated and weighted parameters". TrustedSource, by CipherTrust/McAfee, uses a complex algorithm and real-time data about a site's trustworthiness. Other algorithms create numerical scores of reputation by analyzing a sites longevity, cleanliness, company stability, DNSSEC, community input, search engine ratings, among other values. Customers of the reputation subscription can configure policy based on the reputation score, geography, protocol type, and OSI Layer 8 and 9 information (politics/religion/money/preference).

There are many reputation filtering vendors on the market and more being offered every quarter. Cisco IronPort uses reputation filters for both filtering e-mail and client web requests. Cisco IPSs can use reputation filters to detect and block connections. Cisco's Botnet Traffic Filter on their ASA firewalls uses a list to determine public IP addresses of botnet command-and-control systems. HP TippingPoint Digital Vaccine uses their own reputation system. Traditional AV suite vendors (Symantec, McAfee, Trend Micro, AVG, Sophos, and others) also use reputation scores in their software. Microsoft's Forefront Threat Management Gateway (TMG) 2010 uses reputation filters as well.

Generally-speaking, these reputation filtering systems make the assumption that a single IP address is a single end-system. In actuality, multiple web sites can all be hosted on a single web server's IP address. This could occur with virtual-hosting configured, using a reverse proxy server, a Server Load Balancing (SLB) system or a NAT. These systems break down when a single web server running multiple web pages on different TCP port numbers. One site could be completely legitimate and another site could be riddled with malware waiting to infect any visitor. If any malware is hosted only on only a portion of a legitimate site then that entire site's IP address is then added to the bad-reputation list. If the single IP address got onto a block list then the legitimate site would suffer. Malware typically is only hosted on a web site for a few hours before it is detected and removed. However, the IP address can appear on the reputation filter for many days. This could lead to either an accidental or intentional DoS attack if your server's IP address gets on the bad-reputation list. This situation could exist if your server was using either IPv4 or IPv6.

Recent news about the IPv4 global address pool depletion have quickened the pulse of Internet service providers around the globe. Service providers realize that they will need to support IPv4 for decades to come and one of the methods they could use is Large Scale NAT (LSN). Customers would not be issues public IPv4 addresses but rather private IPv4 addresses and the carrier's backbone would use these private IPv4 addresses. The Large Scale NAT system would translate these private IPv4 addresses used by subscribers into a pool of public IPv4 addresses that could communicate with the Internet (i.e. NAT444). However, when a service provider deploys a LSN it will cause problems for many of its customers. The customers that are behind a LSN system will experience higher latency due to the fact that all their traffic will be back-hauled through the LSN device. Any application with an embedded IPv4 address could experience significant difficulties. It would be impossible for content providers to perform geolocation and could make Geographical Server Load Balancing (GSLB) less functional.

The use of LSN will cause significant problems for the reputation filters. If a single IPv4 address from a LSN public address pool makes its way onto a bad reputation filter list then this would mean that any organization using that reputation system could have their legitimate communications blocked. Therefore, IPv4 reputation filtering becomes less effective with multiple layers of NAT. Depending on when the larger ISPs deploy their LSN systems will dictate the longevity of these IPv4 reputation filtering systems. Reputation filtering systems can start to use IPv6 addresses and keep track of legitimate and malicious node's IPv6 addresses. Because IPv6 was intended to function without any NAT and all hosts would use public IPv6 addresses then reputation filtering won't suffer these LSN problems if they use IPv6.

Scott

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10