[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: peer address protection and NAT Traversal

> -----Original Message-----
> From: owner-ipsec@xxxxxxxxxxxxxxxxx
> On Behalf Of Charlie_Kaufman@xxxxxxxxxxxxxxxx
> So what I'd like to propose is that IPsec SAs *not* try to survive
> mid-connection NAT renumberings. That an IP address and UDP port be

Mobile IP people may not like this very much at all.

> I'm out of my depth here. What do existing implementations do? Do they
> support mid-connection renumbering or are they subject to the DOS
> Is there a known better fix?

We support recovery from floated NAT entries and this is what we do.

 We use a three-way handshake to exchange the information required for
NAT traversal. This significantly reduces the potential threat mentioned
by Francis, but does not completely eliminate it. 

A better solution IMHO would be:

 To 100% protect against the attack mentioned by Francis if NAT vendors
put a mechanism by which those behind the NATs can query the NAT WAN
interface address. Then the devices behind NAT can compare this address
with the perceived address by the remote sites (echoed back securely)
and completely neutralize these attacks. This is true only if there is
one NAT in-between and I think it is true for majority of cases. 

  In lieu of this, one can make multiple queries to several sites and
check them for consistency. This is a heuristic approach and only
reduces the threat, but does not eliminate it.



>           --Charlie
> Opinions expressed may not even be mine by the time you read them, and
> certainly don't reflect those of any other entity (legal or